Re: Unable to login to SBS Server

Franky wrote:
HI kj

Well I had a conversation with dell before i contact microsoft & they
located the following error in the logs though said they could find
no real problem with any of the group policys or permissions


You called MS, they charged you, and said "we don't know"?


This is the error they located

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 15/04/2008
Time: 14:57:05
User: N/A
Computer: Server1
Description:
Security policies were propagated with warning. 0x534 : No mapping
between account names and security IDs was done.

Advanced help for this problem is available on
http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy
objects (GPOs) could not be resolved to a SID. This error is
possibly caused by a mistyped or deleted user account referenced in
either the User Rights or Restricted Groups branch of a GPO. To
resolve this event, contact an administrator in the domain to perform
the following actions:
1. Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"
%SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the
problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be
determined. This most likely occurs because the account was deleted,
renamed, or is spelled differently (e.g. "JohnDoe").

2. Use RSoP to identify the specific User Rights, Restricted Groups,
and Source GPOs that contain the problem accounts:

a. Start -> Run -> RSoP.msc
b. Review the results for Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment and
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Restricted Groups for any errors flagged with a red X.
c. For any User Right or Restricted Group marked with a red X, the
corresponding GPO that contains the problem policy setting is listed
under the column entitled "Source GPO". Note the specific User
Rights, Restricted Groups and containing Source GPOs that are
generating errors.
3. Remove unresolved accounts from Group Policy

a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in..."
c. From the "Add/Remove Snap-in" dialog box select "Add..."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy"
and click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse"
button. f. On the "Browse for a Group Policy Object" dialog box
choose the "All" tab g. For each source GPO identified in step 2,
correct the specific User Rights or Restricted Groups that were
flagged with a red X in step 2. These User Rights or Restricted
Groups can be corrected by removing or correcting any references to
the problem accounts that were identified in step 1.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Can anyone shed any light please??

Thanks in advance

Paul


"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:e8Lm$QMnIHA.3780@xxxxxxxxxxxxxxxxxxxxxxx
paul wrote:
Hi

The new user is a member of the following

Domain Admins
Domain Users
Mobile users
Remote Web Workplace
Local distribution group

I hope this can be resolved as starting to panic a little:)

Cheers

Well those are the correct groups. Reviewing this, you might first
check that the SBS server is in the Domain Controllers OU.

Then perhaps run dcdiag /c /e /v just to be sure there's nothing
there. There are no other Domain controllers, correct?

If this was a by the book install and no one else had priviledges to
dork it around, and MS call is looking better all the time.



"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:exUS9lFnIHA.1280@xxxxxxxxxxxxxxxxxxxxxxx
Franky wrote:
Hi Les

Tried this & got exactly the same problem so not sure where to go
from here, do you think it could be a group policy error/problem
even though they do not use at this site?

Posssibly. Somebody might have dorked up the template. On the new
user properties, click the "member of" tab and list the groups the
new users has membership.




"Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx> wrote in message
news:B2809BC1-C735-4CC8-B7CE-543B72FE58BB@xxxxxxxxxxxxxxxx
What happens if you create another user account, using the
Administrator template?

Does this new account work properly?

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Franky" <frankie_600@xxxxxxxxxxxxx> wrote in message
news:K6OdnUXzH6EsV2HanZ2dnUVZ8qugnZ2d@xxxxxxxxx
Hi Les

Thanks for your input but I have checked & followed various
guides to resolve this issue & double checked that the
administrator is not part of certain security groups. I've
even tried removing the administrators account from all of the
groups & readded one by one but to no avail. I may have to bite
the bullet & call MS for a solution "Les Connor [SBS MVP]"
<les.connor@xxxxxxxxxxxx> wrote in message
news:11FE832D-39B6-4812-AB04-4C552E568105@xxxxxxxxxxxxxxxx
This is often caused by the Administrator account being added
to security groups that it shouldn't be added to. Like remote
users group, for example.

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Franky" <frankie_600@xxxxxxxxxxxxx> wrote in message
news:hvSdnfu8RJAa1mbanZ2dnUVZ8qOknZ2d@xxxxxxxxx
Hi

I am hoping someone can help as this is really causing us some
concern, shall I start at the beginning

1) We were asked to look at a SBS 2003 server & found that the
group policy has somehow been altered & we decided to do a
complete re-install of the system. We did a standard install
& everything appeared to be running correctly for about the
last month or so we thought, though we had not rebooted the
server at all since we rebuilt it.

2) As this company had no backup device we purchased & shut
the server down & then fitted backup device & brought server
up only to find we could not login to the SBS server using
the admin UID & PWD. I started to panic at this stage as the
error given is as follows:- "the local policy of this system
does not allow you to logon
interactively"

After checking for this error I followed this guide

http://support.microsoft.com/kb/841188

did not work for me though from the article above I found it
was possible to login to the SBS via RDP & I could use the
admin UID & PWD!!

even though I could login the via RDP the problems don't end
there as if I try to run a program using the "run as" command
I receive an error advising
:-

"Logon Failure: the user has not been granted the requested
logon type at this computer"

I guess this is because the administrator cannot log on so I
then checked the local policy by running secpol.msc and then
checked Security Settings->Local Policies->User Rights
Assignment->Log on Locally

the administrator is already there though I did note that you
can not add/remove any groups

I then checked the Domain Controller Security Policy & checked
that the administrator was allowed to "log on locally" & it is
there so I am a little stumped as to the cause & was hoping
someone has been through this before who can assist

Thanks in advance

Paul

--
/kj

--
/kj

--
/kj


.