Re: Unable to login to SBS Server

HI kj

Well I had a conversation with dell before i contact microsoft & they
located the following error in the logs though said they could find no real
problem with any of the group policys or permissions

This is the error they located

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 15/04/2008
Time: 14:57:05
User: N/A
Computer: Server1
Description:
Security policies were propagated with warning. 0x534 : No mapping between
account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com.
Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects
(GPOs) could not be resolved to a SID. This error is possibly caused by a
mistyped or deleted user account referenced in either the User Rights or
Restricted Groups branch of a GPO. To resolve this event, contact an
administrator in the domain to perform the following actions:

1. Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"
%SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem
account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This
most likely occurs because the account was deleted, renamed, or is spelled
differently (e.g. "JohnDoe").

2. Use RSoP to identify the specific User Rights, Restricted Groups, and
Source GPOs that contain the problem accounts:

a. Start -> Run -> RSoP.msc
b. Review the results for Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment and Computer
Configuration\Windows Settings\Security Settings\Local Policies\Restricted
Groups for any errors flagged with a red X.
c. For any User Right or Restricted Group marked with a red X, the
corresponding GPO that contains the problem policy setting is listed under
the column entitled "Source GPO". Note the specific User Rights, Restricted
Groups and containing Source GPOs that are generating errors.

3. Remove unresolved accounts from Group Policy

a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in..."
c. From the "Add/Remove Snap-in" dialog box select "Add..."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and
click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse" button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g. For each source GPO identified in step 2, correct the specific User
Rights or Restricted Groups that were flagged with a red X in step 2. These
User Rights or Restricted Groups can be corrected by removing or correcting
any references to the problem accounts that were identified in step 1.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Can anyone shed any light please??

Thanks in advance

Paul


"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:e8Lm$QMnIHA.3780@xxxxxxxxxxxxxxxxxxxxxxx
paul wrote:
Hi

The new user is a member of the following

Domain Admins
Domain Users
Mobile users
Remote Web Workplace
Local distribution group

I hope this can be resolved as starting to panic a little:)

Cheers

Well those are the correct groups. Reviewing this, you might first check
that the SBS server is in the Domain Controllers OU.

Then perhaps run dcdiag /c /e /v just to be sure there's nothing there.
There are no other Domain controllers, correct?

If this was a by the book install and no one else had priviledges to dork
it around, and MS call is looking better all the time.



"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:exUS9lFnIHA.1280@xxxxxxxxxxxxxxxxxxxxxxx
Franky wrote:
Hi Les

Tried this & got exactly the same problem so not sure where to go
from here, do you think it could be a group policy error/problem
even though they do not use at this site?

Posssibly. Somebody might have dorked up the template. On the new
user properties, click the "member of" tab and list the groups the
new users has membership.




"Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx> wrote in message
news:B2809BC1-C735-4CC8-B7CE-543B72FE58BB@xxxxxxxxxxxxxxxx
What happens if you create another user account, using the
Administrator template?

Does this new account work properly?

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Franky" <frankie_600@xxxxxxxxxxxxx> wrote in message
news:K6OdnUXzH6EsV2HanZ2dnUVZ8qugnZ2d@xxxxxxxxx
Hi Les

Thanks for your input but I have checked & followed various guides
to resolve this issue & double checked that the administrator is
not part of certain security groups. I've even tried removing the
administrators account from all of the groups & readded one by one
but to no avail. I may have to bite the bullet & call MS for a
solution "Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx> wrote in
message
news:11FE832D-39B6-4812-AB04-4C552E568105@xxxxxxxxxxxxxxxx
This is often caused by the Administrator account being added to
security groups that it shouldn't be added to. Like remote users
group, for example.

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Franky" <frankie_600@xxxxxxxxxxxxx> wrote in message
news:hvSdnfu8RJAa1mbanZ2dnUVZ8qOknZ2d@xxxxxxxxx
Hi

I am hoping someone can help as this is really causing us some
concern, shall I start at the beginning

1) We were asked to look at a SBS 2003 server & found that the
group policy has somehow been altered & we decided to do a
complete re-install of the system. We did a standard install &
everything appeared to be running correctly for about the last
month or so we thought, though we had not rebooted the server at
all since we rebuilt it.

2) As this company had no backup device we purchased & shut the
server down & then fitted backup device & brought server up only
to find we could not login to the SBS server using the admin UID
& PWD. I started to panic at this stage as the error given is
as follows:- "the local policy of this system does not allow
you to logon
interactively"

After checking for this error I followed this guide

http://support.microsoft.com/kb/841188

did not work for me though from the article above I found it was
possible to login to the SBS via RDP & I could use the admin
UID & PWD!!

even though I could login the via RDP the problems don't end
there as if I try to run a program using the "run as" command I
receive an error advising
:-

"Logon Failure: the user has not been granted the requested
logon type at this computer"

I guess this is because the administrator cannot log on so I
then checked the local policy by running secpol.msc and then
checked Security Settings->Local Policies->User Rights
Assignment->Log on Locally

the administrator is already there though I did note that you
can not add/remove any groups

I then checked the Domain Controller Security Policy & checked
that the administrator was allowed to "log on locally" & it is
there so I am a little stumped as to the cause & was hoping
someone has been through this before who can assist

Thanks in advance

Paul

--
/kj

--
/kj



.