W
wutsitallabout
It's still happening. I've mentioned on this group before
about not being able to perform Admin tasks even though
logged on as the local built in Administrator (no domain),
at home, at work and other people I know as well. Tonight
I tried to view my security logs and was denied access to
do so. The message was.....
"Unable to complete the operation on "security log". A
required privilege is not held by the client".
I searched for the "winlogon.txt". I'm not sure if in
effect I'm looking at the security log, but here's what it
says.
I hope this makes sense to someone out there.
Thanks very much.
**********************************************************
----Configure User Rights...
Configure Administrators.
Error 1332: No mapping between account names and security
IDs was done.
Cannot find Administrators.
Configure S-1-5-32-551.
Configure S-1-5-32-547.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-21-1614895754-682003330-839522115-
501.
Configure S-1-5-32-544.
Configure S-1-5-21-1614895754-682003330-839522115-
1000.
Configure S-1-5-21-1614895754-682003330-839522115-
500.
Configure S-1-5-21-1614895754-682003330-839522115-
1002.
User Rights configuration completed with error.
I also looked at the application log. Geez I was allowed
to see that!.....
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/15/2003
Time: 11:55:12 PM
User: N/A
Computer: JUICE
Description:
Security policies are propagated with warning. 0x534 : No
mapping between account names and security IDs was done.
For best results in resolving this event, log on with a
non-administrative account and search
http://support.microsoft.com for "troubleshooting 1202
events".
A user account in one or more Group policy objects (GPOs)
could not be resolved to a SID. This error is possibly
caused by a mistyped nor deleted user account referenced
in either the User Rights or Restricted Groups branch of a
GPO. To resolve this event, contact an administrator in
the domain to perform the following actions:
1.Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output
identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not
be determined. This most likely occurs because the account
was deleted, renamed, or is spelled differently
(e.g. "JohnDoe").
2.Identify the GPOs that contain the unresolvable account
name:
From the command prompt type FIND /I "JohnDough" %
SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the
following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO's being applied
to this machine, the unresolvable account exists only in
one GPO. Specifically, the cached GPO named GPT00001.DOM.
Now we need to determine the friendly name of this
GPO in the next step.
3. Locate the friendly names of each of the GPOs that
contain an unresolvable account name. These GPOs were
identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in
the FIND output identifies the friendly names for all
GPO's being applied to this machine.
Example: [Mapping] gpt00001.dom = User Rights
Policy
In this case, the GPO that contains the
unresolvable account (gpt00001.dom) has a friendly name
of "User Rights Policy".
4. Remove unresolved accounts from each GPO that contains
an unresolvable account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in."
c. From the "Add/Remove Snap-in" dialog box
select "Add."
d. In the "Add Standalone Snap-in" dialog box
select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box
click the "Browse" button.
f. On the "Browse for a Group Policy Object"
dialog box choose the "All" tab
g. Right click on the first policy identified in
step 3 and choose edit
h. Review each setting under Computer
Configuration/ Windows Settings/ Security Settings/ Local
Policies/ User Rights
Assignment or Computer Configuration/ Windows
Settings/ SecuritySettings/ Restricted Groups for accounts
identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs
identified in step 3.
about not being able to perform Admin tasks even though
logged on as the local built in Administrator (no domain),
at home, at work and other people I know as well. Tonight
I tried to view my security logs and was denied access to
do so. The message was.....
"Unable to complete the operation on "security log". A
required privilege is not held by the client".
I searched for the "winlogon.txt". I'm not sure if in
effect I'm looking at the security log, but here's what it
says.
I hope this makes sense to someone out there.
Thanks very much.
**********************************************************
----Configure User Rights...
Configure Administrators.
Error 1332: No mapping between account names and security
IDs was done.
Cannot find Administrators.
Configure S-1-5-32-551.
Configure S-1-5-32-547.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-21-1614895754-682003330-839522115-
501.
Configure S-1-5-32-544.
Configure S-1-5-21-1614895754-682003330-839522115-
1000.
Configure S-1-5-21-1614895754-682003330-839522115-
500.
Configure S-1-5-21-1614895754-682003330-839522115-
1002.
User Rights configuration completed with error.
I also looked at the application log. Geez I was allowed
to see that!.....
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/15/2003
Time: 11:55:12 PM
User: N/A
Computer: JUICE
Description:
Security policies are propagated with warning. 0x534 : No
mapping between account names and security IDs was done.
For best results in resolving this event, log on with a
non-administrative account and search
http://support.microsoft.com for "troubleshooting 1202
events".
A user account in one or more Group policy objects (GPOs)
could not be resolved to a SID. This error is possibly
caused by a mistyped nor deleted user account referenced
in either the User Rights or Restricted Groups branch of a
GPO. To resolve this event, contact an administrator in
the domain to perform the following actions:
1.Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output
identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not
be determined. This most likely occurs because the account
was deleted, renamed, or is spelled differently
(e.g. "JohnDoe").
2.Identify the GPOs that contain the unresolvable account
name:
From the command prompt type FIND /I "JohnDough" %
SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the
following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO's being applied
to this machine, the unresolvable account exists only in
one GPO. Specifically, the cached GPO named GPT00001.DOM.
Now we need to determine the friendly name of this
GPO in the next step.
3. Locate the friendly names of each of the GPOs that
contain an unresolvable account name. These GPOs were
identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in
the FIND output identifies the friendly names for all
GPO's being applied to this machine.
Example: [Mapping] gpt00001.dom = User Rights
Policy
In this case, the GPO that contains the
unresolvable account (gpt00001.dom) has a friendly name
of "User Rights Policy".
4. Remove unresolved accounts from each GPO that contains
an unresolvable account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in."
c. From the "Add/Remove Snap-in" dialog box
select "Add."
d. In the "Add Standalone Snap-in" dialog box
select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box
click the "Browse" button.
f. On the "Browse for a Group Policy Object"
dialog box choose the "All" tab
g. Right click on the first policy identified in
step 3 and choose edit
h. Review each setting under Computer
Configuration/ Windows Settings/ Security Settings/ Local
Policies/ User Rights
Assignment or Computer Configuration/ Windows
Settings/ SecuritySettings/ Restricted Groups for accounts
identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs
identified in step 3.