P
Peter Kaufman
Hi,
I took some bad advice and deleted the IUSER and IWAM accounts for a
long dead and removed server. Now I am getting event log error 1202
0x534, that there is a mapping error between an SID and account name.
I have looked at the KB articles on this which have been limited help.
I have found these user accounts in the local security settings with
rights to log on as a batch job etc. I'm assuming that is where the
problem lies as I use very few GPOs and do not specifically list
these accounts in the ones I do have.
I could not see how to remove them (from the logon as a batch job
right) except by defining a domain GPO which listed specific accounts
of course not including the problem ones (which don't exist in AD
anymore anyway) which could log in as batch job. I have done that
both in a new GPO at the top of the list, and also the default domain
GPO, but the local security settings do not change. They still list
these dead accounts along with others.
Why is the domain GPO not overriding the local security settings, and
also if there is a better approach to stopping these event log errors
what is it?
Am I on the wrong track being concerned that the account are in the
local security settings? If they are in a GPO they are not there by
name - how do I find the offending entry in the GPO?
Thanks,
Peter
I took some bad advice and deleted the IUSER and IWAM accounts for a
long dead and removed server. Now I am getting event log error 1202
0x534, that there is a mapping error between an SID and account name.
I have looked at the KB articles on this which have been limited help.
I have found these user accounts in the local security settings with
rights to log on as a batch job etc. I'm assuming that is where the
problem lies as I use very few GPOs and do not specifically list
these accounts in the ones I do have.
I could not see how to remove them (from the logon as a batch job
right) except by defining a domain GPO which listed specific accounts
of course not including the problem ones (which don't exist in AD
anymore anyway) which could log in as batch job. I have done that
both in a new GPO at the top of the list, and also the default domain
GPO, but the local security settings do not change. They still list
these dead accounts along with others.
Why is the domain GPO not overriding the local security settings, and
also if there is a better approach to stopping these event log errors
what is it?
Am I on the wrong track being concerned that the account are in the
local security settings? If they are in a GPO they are not there by
name - how do I find the offending entry in the GPO?
Thanks,
Peter