And, I agree. But, if you just eliminate all of them at once, I suspect (being the old guy that I am, you youngster you.....) that I'll only have to go through the pain of getting into policy once. Being of advanced age and all, Brian - I'm trying to save as much time as possible. I'm never sure when I'm going to kick the bucket. <VBSEG> Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, April 25, 2004 7:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SCECLI 1202 Events Right, but if it's only defined in one place or something (e.g. a Restricted Group), it'd be easier to figure out which rights it's defined in than to search the whole GPO for them with gpedit - there's half a gazillion rights to skim. The log usually will have an error like this anytime it has a problem converting a name to a SID, so, each time it couldn't lookup Power Users it would say which right. --Brian -----Original Message----- From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sun 4/25/2004 12:52 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] SCECLI 1202 Events True - but, if the user doesn't exist, it SHOULDN'T be listed at all. Best practice dictates removing all rights to defined users that don't need them and undefined users that don't exist. In this case, Power User doesn't exist, and therefore any place that hte user is defined, the user should be removed. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, April 25, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SCECLI 1202 Events Even easier, just scroll through te log and see what policy/right/whatever it's trying to apply with Power Users. --Brian -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sun 4/25/2004 9:40 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] SCECLI 1202 Events Power Users do not exist on DC's. Go to the Default Domain Controller Policy and look through all of the User Rights and remove any entries for the Power User principal. You should also be receiving event 1000's, also - yes? Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, April 25, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] SCECLI 1202 Events Hello everybody, I am getting this event very frequently. Event id 1202 "Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done." KB Article <http://support.microsoft.com/default.aspx?scid=kb;en-us;324383> http://support.microsoft.com/default.aspx?scid=kb;en-us;324383 gives a good explantion to this and with this I culd trace that there is a problem with power users account. When I give this command 1.C:\>FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log ---------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG Cannot find Power Users. Cannot find Power Users. Cannot find Power Users. 2.C:\>FIND /I "power users" %SYSTEMROOT%\Security\templates\policies\gpt*.* ---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM ---------- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF 3.C:\>FIND /I "[Mapping]" %SYSTEMROOT%\Security\Logs\winlogon.log ---------- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG [Mapping] gpt00000.dom = Default Domain Policy [Mapping] gpt00001.inf = Default Domain Policy [Mapping] gpt00000.dom = Default Domain Policy [Mapping] gpt00001.inf = Default Domain Policy [Mapping] gpt00000.dom = Default Domain Policy [Mapping] gpt00001.inf = Default Domain Policy [Mapping] gpt00000.dom = Default Domain Policy [Mapping] gpt00001.inf = Default Domain Policy Here, the machine is an additional domain controller which I promoted very recently. I culd identfy tha account which is Power users and GPO is Default Domain Policy. But the Power users is no more existing. How shuld I resolve this. I think I am very close to the solution, but I really don't know where?? How do I resolve this?? Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-59774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" ----------------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission. Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. -----------------------------------------------------
<<attachment: winmail.dat>>
