Microsoft KB Archive/927061

= Event ID: 1202 occurs when you use Group Policy that defines restricted groups on a computer that is running Microsoft Windows Server 2003 =

Article ID: 927061

Article Last Modified on 11/22/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-



SYMPTOMS
When you use the Group policy setting that defines restricted groups on a computer that is running Microsoft Windows Server 2003, the following event may be logged in the Application log: Event Type: Warning

Event Source: SceCli

Event Category: None

Event ID: 1202

Date:

Time:

User: N/A

Computer:

Description: Security policies are propagated with warning. 0x534: No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.



CAUSE
This problem may occur if you add a global group or a universal group as a member of a restricted group.



RESOLUTION
To resolve this problem, remove the global group or the universal group from the membership of the restricted group.



MORE INFORMATION
Because global groups and universal groups are located in the Active Directory, they are restricted. Therefore, you do not have to add a global group or a universal group as a member of a restricted group. Also, if the configured group is a local group, the local group cannot be a member of a global group or of a universal group.

When you view the %windir%\Security\Logs\Winlogon.log file, you will see one or more of the following entries, depending on the type of configured group.

Note In this path, the %windir% placeholder represents the path of the Windows system folder. Typically, C:\Windows is the path of the Windows system folder.   If the configured group is a local group, you will see the following entry: Configure Group Membership. Configure local_group_name. Aliases cannot be members of other groups.

Group Membership configuration was completed with one or more errors.   If the configured group is a global group, and the computer is a domain controller, you will see the following entry: Configure Group Membership. Configure global_group_name. Configure GLOBALNETWORK\Group Policy Creator Owners. Member Of list contains invalid alias My Global Group Cannot find GLOBALNETWORK\My Global Group. Member Of list contains invalid alias My Universal Group Cannot find GLOBALNETWORK\My Universal Group.

Group Membership configuration was completed with one or more errors. 

Keywords: kbexpertiseadvanced kbtshoot KB927061

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.