M
Michael E. Wheeler
I have a windows xp sp2 machine that has been getting event 1085 errors:
"The Group Policy client-side extension Security failed to execute. Please
look for any errors reported earlier by that extension."
and also event 1202 errors:"Security policies were propagated with warning.
0x534 : No mapping between account names and security IDs was done.
For best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "Troubleshooting Event
1202's".
A user account in one or more Group Policy objects (GPOs) could not be
resolved to a SID. This error is possibly caused by a mistyped or deleted
user account referenced in either the User Rights or Restricted Groups branch
of a GPO. To resolve this event, contact an administrator in the domain to
perform the following actions:
1. Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the problem
account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined.
This most likely occurrs because the account was deleted, renamed, or is
spelled differently (e.g. "JohnDoe").
2. Use RSoP to identify the specific User Rights, Restricted Groups, and
Source GPOs that contain the problem accounts:
a. Start-> Run-> MMC.Exe
b. From the File Menu, select "Add/Remove Snap-in"
c. From the "Add/Remove Snap-in" dialog box select "Add…"
d. In the "Add Standalone Snap-in" dialog box select "Resultant Set of
Policy" and click "Add"
e. Select "Close" then "OK" to return to the newly added Snap-in
f. In the scope pane, Right-click on the Resultant Set of Policy node and
select "Generate RSoP Data…"
g. As you proceed through the RSoP wizard, select the following options:
i. Logging Mode
ii. This Computer (or Another Computer if you are performing the
operation remotely).
iii. Do not display user policy settings in the results (display
computer policy settings only)
Then click Finish to generate the RSoP data.
h. Review the results for Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment and Computer
configuration\Windows Settings\Security Settings\Local Policies\Restricted
Groups for any errors flagged with a Red X.
i. For any User Right or Restricted Group marked with a Red X, the
corresponding GPO that contains the problem policy setting is listed under
the column entitled "Source GPO". Note the specific User Rights, Restricted
Groups and containing Source GPOs that are generating errors.
3. Remove unresolved accounts from Group Policy
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in…"
c. From the "Add/Remove Snap-in" dialog box select "Add…"
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and
click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse"
button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All"
tab
g. For each source GPO identified in step 2, correct the specific User
Rights or Restricted Groups that were flagged with a Red X in step 2. These
User Rights or Restricted Groups can be corrected by removing or correcting
any references to the problem accounts that were identified in step 1.
I have unjoined and rejoined the domain, renaming the computer and readding
the "domain users" group under local administrators.
Please help as machine is freezing and locking up all day long.
"The Group Policy client-side extension Security failed to execute. Please
look for any errors reported earlier by that extension."
and also event 1202 errors:"Security policies were propagated with warning.
0x534 : No mapping between account names and security IDs was done.
For best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "Troubleshooting Event
1202's".
A user account in one or more Group Policy objects (GPOs) could not be
resolved to a SID. This error is possibly caused by a mistyped or deleted
user account referenced in either the User Rights or Restricted Groups branch
of a GPO. To resolve this event, contact an administrator in the domain to
perform the following actions:
1. Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find"
%SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the problem
account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined.
This most likely occurrs because the account was deleted, renamed, or is
spelled differently (e.g. "JohnDoe").
2. Use RSoP to identify the specific User Rights, Restricted Groups, and
Source GPOs that contain the problem accounts:
a. Start-> Run-> MMC.Exe
b. From the File Menu, select "Add/Remove Snap-in"
c. From the "Add/Remove Snap-in" dialog box select "Add…"
d. In the "Add Standalone Snap-in" dialog box select "Resultant Set of
Policy" and click "Add"
e. Select "Close" then "OK" to return to the newly added Snap-in
f. In the scope pane, Right-click on the Resultant Set of Policy node and
select "Generate RSoP Data…"
g. As you proceed through the RSoP wizard, select the following options:
i. Logging Mode
ii. This Computer (or Another Computer if you are performing the
operation remotely).
iii. Do not display user policy settings in the results (display
computer policy settings only)
Then click Finish to generate the RSoP data.
h. Review the results for Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment and Computer
configuration\Windows Settings\Security Settings\Local Policies\Restricted
Groups for any errors flagged with a Red X.
i. For any User Right or Restricted Group marked with a Red X, the
corresponding GPO that contains the problem policy setting is listed under
the column entitled "Source GPO". Note the specific User Rights, Restricted
Groups and containing Source GPOs that are generating errors.
3. Remove unresolved accounts from Group Policy
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in…"
c. From the "Add/Remove Snap-in" dialog box select "Add…"
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and
click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse"
button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All"
tab
g. For each source GPO identified in step 2, correct the specific User
Rights or Restricted Groups that were flagged with a Red X in step 2. These
User Rights or Restricted Groups can be corrected by removing or correcting
any references to the problem accounts that were identified in step 1.
I have unjoined and rejoined the domain, renaming the computer and readding
the "domain users" group under local administrators.
Please help as machine is freezing and locking up all day long.