RE: SCECLI 1202 0x534 No mapping between account names and security ID

This is likely what is happening:

Someone made a change to the User Rights setting at the domain level, adding
in some local groups (Power Users, Backup Operators, etc) to the permissions
list. However, Domain Controllers do not have these groups so when Group
Policy is getting processed every 5 minutes (by default) it is attempting to
map to an invalid security ID.

You can have these settings for the User Rights at the domain level, but you
need to make sure you change the Default Domain Controller Policy as well,
using Domain groups only at the specific user rights permissions you changed
at the domain level. Does that make sense?

"Mark Morrell" wrote:

I am getting this warning on my 2003 DC every 5 minutes:
SCECLI 1202 0x534 No mapping between account names and security IDs was
done.

It started while I was on vacation and everyone swears they didn't make any
changes to anything (like I believe that!).

Most of what I have found only applies to 2000, but some helped a little.
The ones for 2003 don't have the 0x534.

One article said the Default Domain Controllers Policy lost its link to the
Domain Controllers container.
So I added it in again (giving me the same link twice). It seemed to have
fixed it until I rebooted the server.
Then it was giving the warning again. I tried it again, but it didn't work
the second time.

When I try this:
find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log
It says Cannont find Power Users

When I do this one:
find /i "Power Users" %SYSTEMROOT%\security\logs\winlogon.log
I get
Configure Power Users.
Cannot find Power Users.

Since there are no local users/groups on a DC, this would make sense to me
that it can't find it.
So why is it even looking??

I have this 2003 DC (also acts as a file server) and a 2000 DC that will be
upgraded to 2003 early next year.

Workstations all run 2000 or XPSP2


Any ideas?
Fixes?
Random thoughts?

Thanks a bunch
Mark



.

Relevant Pages

  • Re: Application requires administrator permissions to run
    ... template and applied it to the system. ... >registry keys that Dragon needs and grant the user rights ... >make your people Power Users. ...
    (microsoft.public.win2000.security)
  • Re: Application requires administrator permissions to run
    ... Sue, ... registry keys that Dragon needs and grant the user rights to those, ... make your people Power Users. ... > is a voice recognition program ...
    (microsoft.public.win2000.security)
  • RE: Symantec LiveUpdate and User Rights on Win2000
    ... You can add the users to the power users group. ... virus definitions. ... they are no longer able to install AV definitions through the LiveUpdate ... Trojan/virus has less of a chance of being initialized under user rights, ...
    (Security-Basics)
  • RE: Symantec LiveUpdate and User Rights on Win2000
    ... Symantec LiveUpdate and User Rights on Win2000 ... You can add the users to the power users group. ... they are no longer able to install AV definitions through the LiveUpdate ...
    (Security-Basics)
  • Re: Disallow Power Users installation right
    ... will be to use Local Group Policy (no ... need to AD) and disable the add/remove programs policy. ... >there user rights and/or policies that can be set locally ... >> Are you sure it really need Power users rights? ...
    (microsoft.public.win2000.security)
Loading