Re: SCECLI 1202 0x534 No mapping between account names and security ID

Yes, it makes sense. Finding out where the change was made is the hard
part.
Looking in the local computer policy/Computer config/Windows
settings/Security settings/Local policies/User Rights Assignment on the DC I
found a few dead SIDs, but no Power Users.
I do have one in there that won't let me delete the dead SIDs. "Log on as a
batch job" has two dead SIDs.
I can't do anything to that one. The two buttons are faded (Add User or
Group..., and Remove).
Doesn't matter if I click on anything in the list or not.

Still digging.....

Thanks
Mark

"Erik Decker" <Erik.Decker@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ED182A61-E9A8-499C-868A-2326340BF88C@xxxxxxxxxxxxxxxx
This is likely what is happening:

Someone made a change to the User Rights setting at the domain level,
adding
in some local groups (Power Users, Backup Operators, etc) to the
permissions
list. However, Domain Controllers do not have these groups so when Group
Policy is getting processed every 5 minutes (by default) it is attempting
to
map to an invalid security ID.

You can have these settings for the User Rights at the domain level, but
you
need to make sure you change the Default Domain Controller Policy as well,
using Domain groups only at the specific user rights permissions you
changed
at the domain level. Does that make sense?

"Mark Morrell" wrote:

I am getting this warning on my 2003 DC every 5 minutes:
SCECLI 1202 0x534 No mapping between account names and security IDs was
done.

It started while I was on vacation and everyone swears they didn't make
any
changes to anything (like I believe that!).

Most of what I have found only applies to 2000, but some helped a little.
The ones for 2003 don't have the 0x534.

One article said the Default Domain Controllers Policy lost its link to
the
Domain Controllers container.
So I added it in again (giving me the same link twice). It seemed to
have
fixed it until I rebooted the server.
Then it was giving the warning again. I tried it again, but it didn't
work
the second time.

When I try this:
find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log
It says Cannont find Power Users

When I do this one:
find /i "Power Users" %SYSTEMROOT%\security\logs\winlogon.log
I get
Configure Power Users.
Cannot find Power Users.

Since there are no local users/groups on a DC, this would make sense to
me
that it can't find it.
So why is it even looking??

I have this 2003 DC (also acts as a file server) and a 2000 DC that will
be
upgraded to 2003 early next year.

Workstations all run 2000 or XPSP2


Any ideas?
Fixes?
Random thoughts?

Thanks a bunch
Mark





.