Some Group Policy settings not working..
i having trouble pushing out login scripts through gpo. after going through hours of research , troubleshooting have came conclusion gpo set correctly. while looking @ event logs noticed several errors referring gp. getting error below:
event type: warning
event source: scecli
event category: none
event id: 1202
date: 3/31/2009
time: 12:39:38 pm
user: n/a
description:
security policies propagated warning. 0x534 : no mapping between account names , security ids done.
best results in resolving event, log on non-administrative account , search http://support.microsoft.com "troubleshooting 1202 events".
user account in 1 or more group policy objects (gpos) not resolved sid. error possibly caused mistyped nor deleted user account referenced in either user rights or restricted groups branch of gpo. resolve event, contact administrator in domain perform following actions:
1.identify accounts not resolved sid: command prompt, type: find /i "cannot find" %systemroot%\security\logs\winlogon.log
string following "cannot find" in find output identifies problem account names.
example: cannot find johndough.
in case, sid username "johndough" not determined. occurs because account deleted, renamed, or spelled differently (e.g. "johndoe").
2.identify gpos contain unresolvable account name:
command prompt type find /i "johndough" %systemroot%\security\templates\policies\gpt*.*
output of find command resemble following:
---------- gpt00000.dom
---------- gpt00001.dom
seremoteshutdownprivilege=johndough
indicates of gpos being applied machine, unresolvable account exists in 1 gpo. specifically, cached gpo named gpt00001.dom.
need determine friendly name of gpo in next step.
3. locate friendly names of each of gpos contain unresolvable account name. these gpos identified in previous step.
command prompt, type: find /i "[mapping]" %systemroot%\security\logs\winlogon.log
string following "[mapping] gpt0000?.dom =" in find output identifies friendly names gpos being applied machine.
example: [mapping] gpt00001.dom = user rights policy
in case, gpo contains unresolvable account (gpt00001.dom) has friendly name of "user rights policy".
4. remove unresolved accounts each gpo contains unresolvable account.
a. start -> run -> mmc.exe
b. file menu select "add/remove snap-in"
c. "add/remove snap-in" dialog box select "add"
d. in "add standalone snap-in" dialog box select "group policy" , click "add"
e. in "select group policy object" dialog box click "browse" button.
f. on "browse group policy object" dialog box choose "all" tab
g. right click on first policy identified in step 3 , choose edit
h. review each setting under computer configuration/ windows settings/ security settings/ local policies/ user rights
assignment or computer configuration/ windows settings/ securitysettings/ restricted groups accounts identified in step 1.
i. repeat steps 3g , 3h subsequent gpos identified in step 3.
so, looked @ winlogon.log , noticed error.
----configure user rights...
configure s-1-5-32-544.
configure s-1-5-32-551.
configure s-1-5-21-854245398-515967899-682003330-1002.
configure s-1-5-21-854245398-515967899-682003330-1001.
configure power users.
error 1332: no mapping between account names , security ids done.
cannot find power users.
configure s-1-5-32-545.
configure s-1-1-0.
configure s-1-5-6.
configure s-1-5-21-854245398-515967899-682003330-1003.
configure s-1-5-21-854245398-515967899-682003330-1000.
configure s-1-5-21-854245398-515967899-682003330-501.
@ point i'm wondering if missing power user's group in ad.
can shine light on this. looking in right place? way, 2000 dc.
event type: warning
event source: scecli
event category: none
event id: 1202
date: 3/31/2009
time: 12:39:38 pm
user: n/a
description:
security policies propagated warning. 0x534 : no mapping between account names , security ids done.
best results in resolving event, log on non-administrative account , search http://support.microsoft.com "troubleshooting 1202 events".
user account in 1 or more group policy objects (gpos) not resolved sid. error possibly caused mistyped nor deleted user account referenced in either user rights or restricted groups branch of gpo. resolve event, contact administrator in domain perform following actions:
1.identify accounts not resolved sid: command prompt, type: find /i "cannot find" %systemroot%\security\logs\winlogon.log
string following "cannot find" in find output identifies problem account names.
example: cannot find johndough.
in case, sid username "johndough" not determined. occurs because account deleted, renamed, or spelled differently (e.g. "johndoe").
2.identify gpos contain unresolvable account name:
command prompt type find /i "johndough" %systemroot%\security\templates\policies\gpt*.*
output of find command resemble following:
---------- gpt00000.dom
---------- gpt00001.dom
seremoteshutdownprivilege=johndough
indicates of gpos being applied machine, unresolvable account exists in 1 gpo. specifically, cached gpo named gpt00001.dom.
need determine friendly name of gpo in next step.
3. locate friendly names of each of gpos contain unresolvable account name. these gpos identified in previous step.
command prompt, type: find /i "[mapping]" %systemroot%\security\logs\winlogon.log
string following "[mapping] gpt0000?.dom =" in find output identifies friendly names gpos being applied machine.
example: [mapping] gpt00001.dom = user rights policy
in case, gpo contains unresolvable account (gpt00001.dom) has friendly name of "user rights policy".
4. remove unresolved accounts each gpo contains unresolvable account.
a. start -> run -> mmc.exe
b. file menu select "add/remove snap-in"
c. "add/remove snap-in" dialog box select "add"
d. in "add standalone snap-in" dialog box select "group policy" , click "add"
e. in "select group policy object" dialog box click "browse" button.
f. on "browse group policy object" dialog box choose "all" tab
g. right click on first policy identified in step 3 , choose edit
h. review each setting under computer configuration/ windows settings/ security settings/ local policies/ user rights
assignment or computer configuration/ windows settings/ securitysettings/ restricted groups accounts identified in step 1.
i. repeat steps 3g , 3h subsequent gpos identified in step 3.
so, looked @ winlogon.log , noticed error.
----configure user rights...
configure s-1-5-32-544.
configure s-1-5-32-551.
configure s-1-5-21-854245398-515967899-682003330-1002.
configure s-1-5-21-854245398-515967899-682003330-1001.
configure power users.
error 1332: no mapping between account names , security ids done.
cannot find power users.
configure s-1-5-32-545.
configure s-1-1-0.
configure s-1-5-6.
configure s-1-5-21-854245398-515967899-682003330-1003.
configure s-1-5-21-854245398-515967899-682003330-1000.
configure s-1-5-21-854245398-515967899-682003330-501.
@ point i'm wondering if missing power user's group in ad.
can shine light on this. looking in right place? way, 2000 dc.
hi,
event 1202 may not related logon scripts problem. verify, disable problem account, problem setting, , problem gpo test if logon script works. if still not work, please try steps below collect information , narrow down cause of issue.
1. in same gpo, other settings applied? if logon script cannot work, please try run script manually on clients make sure script working.
2. if script works when running manually, please collect following log.
use registry editor add or modify following registry entry:
subkey: hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
entry: userenvdebuglevel
type: reg_dword
value data: 0x00030002 (hexadecimal)
after errors appear, find %systemroot%\debug\usermode\userenv.log file, zip , send tfwst@microsoft.com.
it’s suggested try suggestions in following article.
introduction troubleshooting logon script problems
http://www.computerperformance.co.uk/logon/logon_script_troubleshooting.htm
please note: since web site not hosted microsoft, link may change without notice. microsoft not guarantee accuracy of information.
thanks.
this posting provided "as is" no warranties, , confers no rights.
event 1202 may not related logon scripts problem. verify, disable problem account, problem setting, , problem gpo test if logon script works. if still not work, please try steps below collect information , narrow down cause of issue.
1. in same gpo, other settings applied? if logon script cannot work, please try run script manually on clients make sure script working.
2. if script works when running manually, please collect following log.
use registry editor add or modify following registry entry:
subkey: hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
entry: userenvdebuglevel
type: reg_dword
value data: 0x00030002 (hexadecimal)
after errors appear, find %systemroot%\debug\usermode\userenv.log file, zip , send tfwst@microsoft.com.
it’s suggested try suggestions in following article.
introduction troubleshooting logon script problems
http://www.computerperformance.co.uk/logon/logon_script_troubleshooting.htm
please note: since web site not hosted microsoft, link may change without notice. microsoft not guarantee accuracy of information.
thanks.
this posting provided "as is" no warranties, , confers no rights.
Windows Server > Group Policy
Comments
Post a Comment