SCECLI 1202 0x534 No mapping between account names and security IDs was done.

Discussion in 'Windows Server' started by Mark Morrell, Aug 25, 2006.

  1. Mark Morrell

    Mark Morrell Guest

    I am getting this warning on my 2003 DC every 5 minutes:
    SCECLI 1202 0x534 No mapping between account names and security IDs was
    done.

    It started while I was on vacation and everyone swears they didn't make any
    changes to anything (like I believe that!).

    Most of what I have found only applies to 2000, but some helped a little.
    The ones for 2003 don't have the 0x534.

    One article said the Default Domain Controllers Policy lost its link to the
    Domain Controllers container.
    So I added it in again (giving me the same link twice). It seemed to have
    fixed it until I rebooted the server.
    Then it was giving the warning again. I tried it again, but it didn't work
    the second time.

    When I try this:
    find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log
    It says Cannont find Power Users

    When I do this one:
    find /i "Power Users" %SYSTEMROOT%\security\logs\winlogon.log
    I get
    Configure Power Users.
    Cannot find Power Users.

    Since there are no local users/groups on a DC, this would make sense to me
    that it can't find it.
    So why is it even looking??

    I have this 2003 DC (also acts as a file server) and a 2000 DC that will be
    upgraded to 2003 early next year.

    Workstations all run 2000 or XPSP2


    Any ideas?
    Fixes?
    Random thoughts?

    Thanks a bunch
    Mark
     
    Mark Morrell, Aug 25, 2006
    #1
    1. Advertisements

  2. Adrian Grigorof, Aug 28, 2006
    #2
    1. Advertisements

  3. Mark Morrell

    Erik Decker Guest

    This is likely what is happening:

    Someone made a change to the User Rights setting at the domain level, adding
    in some local groups (Power Users, Backup Operators, etc) to the permissions
    list. However, Domain Controllers do not have these groups so when Group
    Policy is getting processed every 5 minutes (by default) it is attempting to
    map to an invalid security ID.

    You can have these settings for the User Rights at the domain level, but you
    need to make sure you change the Default Domain Controller Policy as well,
    using Domain groups only at the specific user rights permissions you changed
    at the domain level. Does that make sense?
     
    Erik Decker, Aug 28, 2006
    #3
  4. Mark Morrell

    Mark Morrell Guest

    If you mean the permissions on the group policies, yes I checked. No Power
    Users in there.
    I did find some dead SIDs in there and cleaned them up.
    If you mean inside the policies, it will be next week before I can get
    through them all.

    I didn't dismiss the 2000 articles, they are how I got this far. But that
    was where they stopped helping

    Still getting the error.....
    Thanks
    Mark
     
    Mark Morrell, Aug 29, 2006
    #4
  5. Mark Morrell

    Mark Morrell Guest

    Yes, it makes sense. Finding out where the change was made is the hard
    part.
    Looking in the local computer policy/Computer config/Windows
    settings/Security settings/Local policies/User Rights Assignment on the DC I
    found a few dead SIDs, but no Power Users.
    I do have one in there that won't let me delete the dead SIDs. "Log on as a
    batch job" has two dead SIDs.
    I can't do anything to that one. The two buttons are faded (Add User or
    Group..., and Remove).
    Doesn't matter if I click on anything in the list or not.

    Still digging.....

    Thanks
    Mark
     
    Mark Morrell, Aug 29, 2006
    #5
  6. Mark Morrell

    Mark Morrell Guest

    No idea why, but I logged into the DC with an Enterprise Admin and the
    errors stopped.
    I had been logging in with just Domain Admin.

    We only have one domain with all servers here local, so we don't normally
    use Enterprise Admin.
     
    Mark Morrell, Aug 29, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.