Announcement

Collapse
No announcement yet.

gpo problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • gpo problem

    HI everybody
    I am having problem in applying any group plicy in my domain
    and keep getting 1202 event

    Event Type: Warning
    Event Source: SceCli
    Event Category: None
    Event ID: 1202
    Date: 25-May-08
    Time: 7:36:41 AM
    User: N/A
    Computer: server
    Description:
    Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done.

    For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "troubleshooting 1202 events".
    A user account in one or more Group policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped nor deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions:

    1.Identify accounts that could not be resolved to a SID: From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
    The string following "Cannot find" in the FIND output identifies the problem account names.
    Example: Cannot find JohnDough.
    In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

    2.Identify the GPOs that contain the unresolvable account name:
    From the command prompt type FIND /I "JohnDough" %SYSTEMROOT%\Security\templates\policies\gpt*.*
    The output of the FIND command will resemble the following:
    ---------- GPT00000.DOM
    ---------- GPT00001.DOM
    SeRemoteShutdownPrivilege=JohnDough
    This indicates that of all the GPO’s being applied to this machine, the unresolvable account exists only in one GPO. Specifically, the cached GPO named GPT00001.DOM.
    Now we need to determine the friendly name of this GPO in the next step.

    3. Locate the friendly names of each of the GPOs that contain an unresolvable account name. These GPOs were identified in the previous step.
    From the command prompt, type: FIND /I "[Mapping]" %SYSTEMROOT%\Security\Logs\winlogon.log
    The string following "[Mapping] gpt0000?.dom =" in the FIND output identifies the friendly names for all GPO’s being applied to this machine.
    Example: [Mapping] gpt00001.dom = User Rights Policy
    In this case, the GPO that contains the unresolvable account (gpt00001.dom) has a friendly name of "User Rights Policy".

    4. Remove unresolved accounts from each GPO that contains an unresolvable account.
    a. Start -> Run -> MMC.EXE
    b. From the File menu select "Add/Remove Snap-in…"
    c. From the "Add/Remove Snap-in" dialog box select "Add…"
    d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
    e. In the "Select Group Policy Object" dialog box click the "Browse" button.
    f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
    g. Right click on the first policy identified in step 3 and choose edit
    h. Review each setting under Computer Configuration/ Windows Settings/ Security Settings/ Local Policies/ User Rights
    Assignment or Computer Configuration/ Windows Settings/ SecuritySettings/ Restricted Groups for accounts identified in step 1.
    i. Repeat steps 3g and 3h for all subsequent GPOs identified in step 3.

    can you pls help

  • #2
    Re: gpo problem

    There is a settings within a policy that sets restricted group or user rights asignment.

    A possible explination here is that local groups where defined in restricted groups:

    example: You will get this error if you tried to nest local groups.
    Defined group:
    Remote desktop users

    Member/Members OF:
    Buitin\administrator

    Both are local groups and can not be nested.
    [Powershell]
    Start-DayDream
    Set-Location Malibu Beach
    Get-Drink
    Lay-Back
    Start-Sleep
    ....
    Wake-Up!
    Resume-Service
    Write-Warning
    [/Powershell]

    BLOG: Therealshrimp.blogspot.com

    Comment


    • #3
      Re: gpo problem

      hello

      not clear can you pls explain more

      thanks

      Comment


      • #4
        Re: gpo problem

        hi

        How to reset default domain policy and default dc policy on win2k
        and also how to reload them from prev backup
        thanks

        Comment


        • #5
          Re: gpo problem

          Originally posted by naj View Post
          hi

          How to reset default domain policy and default dc policy on win2k
          and also how to reload them from prev backup
          thanks
          Follow this KB article to re-create default domain policy and defaut DC policy GPOs.
          http://support.microsoft.com/kb/830062
          There is a link on the bottown of this article to downlod the utility used to re-create those GPOs.
          Hope this helps.

          Comment


          • #6
            Re: gpo problem

            And this is why you should never change the settings in default GPOs and keep them as backups.

            Comment

            Working...
            X