DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2000705 - Last Review: June 15, 2010 - Revision: 12.0

Symptoms

For more information, see the following article in the Microsoft Knowledge Base:

974639 SceCli 1202 events are logged every time Computer Group Policy settings are refreshed on a computer that is running Windows Server 2008 R2 or Windows 7

The Application log on Windows Server 2008 R2 domain controllers contains Event ID 1202 with status code "0x534 : No mapping between account names and security IDs was done" every time security policy is applied. The relevant part of the Event ID 1202 is shown below: 

Log Name:      Application
Source:        SceCli
Date:          MM/DD/YYYY HH:MM:SS AM | PM
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      <computer name>
Description:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
 
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
 
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

The WINLOGON.LOG contains the following text:

...

Configure S-1-1-0.
Configure S-1-5-11.
Configure S-1-5-32-554.
Configure S-1-5-32-548.
Configure S-1-5-32-550.
Configure S-1-5-9.
Configure WdiServiceHost.
Error 1332: No mapping between account names and security IDs was done.
  Cannot find WdiServiceHost.
Configure S-1-5-21-2125830507-553053660-2246957542-519.
  add SeTimeZonePrivilege.

 User Rights configuration was completed with one or more errors.

...

By default, the GPTMPL.INF policy in the Default Domain Controllers Policy looks like this:

SeSystemProfilePrivilege = *S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420,*S-1-5-32-544

Once an unrelated security setting is modified in the Default Domain Controllers Policy, the SeSystemProfilePrivelege entry in Default Domain Controllers Policy appears as below:

SeSystemProfilePrivilege = *S-1-5-32-544,WdiServiceHost

Cause

When modifying any security setting in the Default Domain Controllers Policy using the Group Policy Management Console (GPMC) from the console of a Windows Server 2008 R2 domain controller, GPMC incorrectly translates the SID for the Wdiservice account in the policy to a user name which is not recognized by the local machines where the policy is enforced.

This issue also occurs when a Windows 7 or Windows Server 2008 R2 member computer modifies any security setting in the Default Domain Controllers Policy on a Windows Server 2008 R2 domain controller.

Resolution

Install the following hotfix to resolve this issue:

974639 SceCli 1202 events are logged every time Computer Group Policy settings are refreshed on a computer that is running Windows Server 2008 R2 or Windows 7

As a temporary workaround, manually edit the GPTMPL.INF file by adding the NT Service\ prefix in front of the wdiservicehost account name for the Profile System Performance user right in the Default Domain Controllers Policy. This has to be done everytime any security setting in the Default Domain Controllers Policy is administered with GPMC.

This step will prevent the 1202 event from being logged until the next time security policy is modified in the Default Domain Controllers Policy by the relevant operating system versions.

  1. Open the GPTTMPL.INF file for the Default Domain Controllers Policy of a domain controller logging the Event ID 1202. The path to the GPTTMPL.INF file when SYSVOL is located below %SystemRoot% is:

    %SystemRoot%\Sysvol\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GPTTMPL.INF

  2. Locate the SeSystemProfilePrivilege entry in the GPTTMPL.INF and modify it as follows:

    Before: SeSystemProfilePrivilege = *S-1-5-32-544,WdiServiceHost
    After: SeSystemProfilePrivilege = *S-1-5-32-544,nt service\WdiServiceHost

    Note: NT Service\ should appear after the "," delimiter. Do not prefix NT Service\ with the "*" character.

  3. Save the changes to GPTTMPL.INF.

  4. From a command prompt on the console of the domain controller whose GPTTMPL.INF file was modified in Step 1, type Gpupdate /force.

  5. View the Application log to see if a Event ID 1202 with status code 0x534 was logged. If so, review the WINLOGON.LOG to see if the event was caused by the WdiServiceHost security principal.

More Information

In the Default Domain Controllers Policy on a Windows Server 2008 R2 domain controller, the SID for the Diagnostics Service Host (wdiservicehost) account is granted the SeSystemProfilePrivilege where it is added to the local SAM of the machine, picked up by SCE, then added to the GPTTMPL.INF.

When any security setting is modified in the Default Domain Controllers Policy on a Windows Server 2008 domain controller, a code defect causes the SID for the Wdiservicehost account to be replaced with its SAM account but fails to add the NT Service\ prefx required by SCECLI to resolve the account's name. (i.e. NT Service\Wdiservicehost).

  1. The issue described in this policy occurs when the Group Policy Management Editor on Windows 7 or Windows Server 2008 R2 computers is used to modify security settings in Default Domain Controllers Policy on a Windows Server 2008 domain controller.

  2. This issue does not occur when security policy is modified in policies other than Default Domain Controllers Policy.

  3. Despite the logging of the Event ID 1202 with status code 0x534, this issue does not prevent Windows computers from applying security policy contained in the Default Domain Controllers Policy. However, there is no way to distinguish a false positive event caused by this issue from a legitimate misconfiguration that will prevent security policy from applying, identified by the same Event ID 1202 and 0x534 status code.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.
Keywords: 
KB2000705
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support