Microsoft KB Archive/247482

From BetaArchive Wiki
< Microsoft KB Archive
Revision as of 13:50, 21 July 2020 by X010 (talk | contribs) (Text replacement - """ to """)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Knowledge Base


Error Message: Security Policies Are Propagated with Warning. 0x534

PSS ID Number: 247482

Article Last Modified on 11/20/2003



The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server



This article was previously published under Q247482

SYMPTOMS

Every five minutes the following event error messages are added to the Application log in Event Viewer:

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 10/16/1999
Time: 10:13:10 am
User: N/A
Computer: COMPUTERNAME

Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.

-and-


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 10/16/1999
Time: 10:13:11 am
User: NT AUTHORITY\SYSTEM
Computer: COMPUTERNAME

Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).

CAUSE

This issue can occur for any of the following reasons:

  • You installed a program, which creates user accounts and assigns rights to those user accounts. Later, you remove the program, which deletes the user accounts, but does not remove the rights from policy before the accounts are deleted.


-or-

  • You add a user account and assign rights to the account. Later, you delete the account, but you do not remove the account from the user rights policy.


RESOLUTION

To resolve this issue, follow these steps:

  1. Add the ExtensionDebugLevel DWORD value with the value data 2 to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtension\{827...}

    NOTE: In the registry key, any GUID starting with "{827".

  2. Under the command window, type secedit /refreshpolicy machine_policy /enforce to generate the Winlogon.log file in the Windows_folder\Security\Logs folder.
  3. Restart the Netlogon service.
  4. Search the Winlogon.log file for deleted user accounts.
  5. Confirm that this user account is not located in any of the User Rights Assignments in the Default Domain Controllers policy as well as in the Local Security Policy, under the effective settings column.

For additional information about the User Rights Policy, click the article number below to view the article in the Microsoft Knowledge Base:

234237 Assign Log On locally Rights to Windows 2000 Domain Controller


NOTE: The preceding article describes how to add a user to the list. In this case you use the same procedure except you delete a user account from the list.

STATUS

Microsoft has confirmed that this is a problem in Microsoft Windows 2000.


Additional query words: Userenv win2000hotds

Keywords: kbenv kberrmsg kbprb KB247482
Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinDataServSearch