Microsoft KB Archive/247482

= Error Message: Security Policies Are Propagated with Warning. 0x534 =

PSS ID Number: 247482

Article Last Modified on 11/20/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q247482



SYMPTOMS
Every five minutes the following event error messages are added to the Application log in Event Viewer:

Event Type: Warning

Event Source: SceCli

Event Category: None

Event ID: 1202

Date: 10/16/1999

Time: 10:13:10 am

User: N/A

Computer: COMPUTERNAME

Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.

-and-

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1000

Date: 10/16/1999

Time: 10:13:11 am

User: NT AUTHORITY\SYSTEM

Computer: COMPUTERNAME

Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).



CAUSE
This issue can occur for any of the following reasons:
 * You installed a program, which creates user accounts and assigns rights to those user accounts. Later, you remove the program, which deletes the user accounts, but does not remove the rights from policy before the accounts are deleted.

-or-
 * You add a user account and assign rights to the account. Later, you delete the account, but you do not remove the account from the user rights policy.



RESOLUTION
To resolve this issue, follow these steps:  Add the ExtensionDebugLevel DWORD value with the value data 2 to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtension\{827...}

NOTE: In the registry key, any GUID starting with "{827".

 Under the command window, type secedit /refreshpolicy machine_policy /enforce to generate the Winlogon.log file in the \Security\Logs folder. Restart the Netlogon service. Search the Winlogon.log file for deleted user accounts. Confirm that this user account is not located in any of the User Rights Assignments in the Default Domain Controllers policy as well as in the Local Security Policy, under the effective settings column.

For additional information about the User Rights Policy, click the article number below to view the article in the Microsoft Knowledge Base:

234237 Assign Log On locally Rights to Windows 2000 Domain Controller

NOTE: The preceding article describes how to add a user to the list. In this case you use the same procedure except you delete a user account from the list.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows 2000.

Additional query words: Userenv win2000hotds

Keywords: kbenv kberrmsg kbprb KB247482

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinDataServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.