DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 324383 - Last Review: February 28, 2007 - Revision: 1.7

Hotfix Download Available
View and request hotfix downloads
 
This article was previously published under Q324383
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .

On This Page

SUMMARY

This article describes ways to troubleshoot and to resolve SCECLI 1202 events.

MORE INFORMATION

The first step in troubleshooting these events is to identify the Win32 error code. This error code distinguishes the type of failure that causes the SCECLI 1202 event. The following is an example of a SCECLI 1202 event. The error code is shown in the Description field. In this example, the error code is 0x534. The text after the error code is the error description.

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A
Computer: %ComputerName%
Description: Security policies are propagated with warning. 0x534: No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.

After you determine the error code, find that error code section in this article, and then follow the troubleshooting steps in that section.

0x534: No mapping between account names and security IDs was done.
-or-
0x6fc: The trust relationship between the primary domain and the trusted domain failed.

These error codes mean that there was a failure to resolve a security account to a security identifier (SID). This typically occurs either because an account name was mistyped or because the account was deleted after it was added to the security policy setting. This typically occurs in the User Rights section or the Restricted Groups section of the security policy setting. It may also occur if the account exists across a trust and then the trust relationship is broken.

To troubleshoot this issue, follow these steps:
  1. Determine the account that is causing the failure. To do this, enable debug logging for the Security Configuration client-side extension. To do this:
    1. Start Registry Editor.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
    3. On the Edit menu, click Add Value, and then add the following registry value:
      Value name: ExtensionDebugLevel
      Data type: DWORD
      Value data: 2
    4. Quit Registry Editor.
  2. Refresh the policy settings to reproduce the failure. To refresh the policy settings, type the following at the command prompt, and then press ENTER:
    secedit /refreshpolicy machine_policy /enforce
    This creates a file that is named Winlogon.log in the %SYSTEMROOT%\Security\Logs folder.
  3. Find the problem account. To do this, type the following at the command prompt, and then press ENTER:
    find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log
    The Find output identifies the problem account names--for example, "Cannot find MichaelAlexander." In this example, the user account MichaelAlexander does not exist in the domain, or it has a different spelling--for example, MichelleAlexander.

    Determine why this account cannot be resolved. For example, look for typographical errors, a deleted account, the wrong policy applying to this computer, or a trust problem.
  4. If you determine that the account has to be removed from the policy, find the problem policy and the problem setting. To determine which setting contains the unresolved account, type the following at the command prompt on the computer that is producing the SCECLI 1202 event, and then press ENTER:
    c:\>find /i “account name” %SYSTEMROOT%\security\templates\policies\gpt*.*
    For this example, the syntax and the results are:
    c:\>find /i "MichaelAlexander" %SYSTEMROOT%\security\templates\policies\gpt*.*
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INF
    SeInteractiveLogonRight = TsInternetUser,*S-1-5-32-549,*S-1-5-32-550,MichaelAlexander,*S-1-5-32-551,*S-1-5-32-544,*S-1-5-32-548
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM
    This identifies GPT00002.inf as the cached security template from the problem Group Policy object (GPO) that contains the problem setting. It also identifies the problem setting as SeInteractiveLogonRight. The display name for SeInteractiveLogonRight is “Logon locally.”

    For a map of the constants (for example, SeInteractiveLogonRight) to their display names (for example, Logon locally), see the Microsoft Windows 2000 Server Resource Kit, "Distributed Systems Guide." The map is in the "User Rights" section of the Appendix.
  5. Determine which GPO contains the problem setting. Search the cached security template that you identified in step 4 for the text "GPOPath=." In this example, you would see the following:
    GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE
    Between "GPOPath=" and "\MACHINE" is the GUID of the GPO.
  6. To find the friendly name of the GPO, use the Resource Kit utility Gpotool.exe. Type the following at the command prompt, and then press ENTER:
    gpotool /verbose
    Search the output for the GUID that you identified in step 5. The four lines that follow the GUID contain the friendly name of the policy. For example:
    Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
    Policy OK
    Details:
    ------------------------------------------------------------
    DC: domcntlr1.wingtiptoys.com
    Friendly name: Default Domain Controllers Policy
    
You have now identified the problem account, the problem setting, and the problem GPO. To resolve the problem, remove or replace the problem entry.

0x2: The system cannot find the file specified.

This error is similar to 0x534 and to 0x6fc in that it is caused by an irresoluble account name. When the 0x2 error occurs, it typically indicates that the irresoluble account name is specified in a Restricted Groups policy setting.

To troubleshoot this issue, follow these steps:
  1. Determine which service or which object is having the failure. To do this, enable debug logging for the Security Configuration client-side extension. To do this:
    1. Start Registry Editor.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
    3. On the Edit menu, click Add Value, and then add the following registry value:
      Value name: ExtensionDebugLevel
      Data type: DWORD
      Value data: 2
    4. Quit Registry Editor.
  2. Refresh the policy settings to reproduce the failure. To refresh the policy settings, type the following at the command prompt, and then press ENTER:
    secedit /refreshpolicy machine_policy /enforce
    This creates a file that is named Winlogon.log in the %SYSTEMROOT%\Security\Logs folder.
  3. At the command prompt, type the following, and then press ENTER:
    find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log
    The Find output identifies the problem account names--for example, "Cannot find MichaelAlexander." In this example, the user account MichaelAlexander does not exist in the domain, or it has a different spelling--for example, MichelleAlexander.

    Determine why this account cannot be resolved. For example, look for typographical errors, a deleted account, the wrong policy applying to this computer, or a trust problem.
  4. If you determine that the account has to be removed from the policy, find the problem policy and the problem setting. To find what setting contains the unresolved account, type the following at the command prompt on the computer that is producing the SCECLI 1202 event, and then press ENTER:
    c:\>find /i “account name” %SYSTEMROOT%\security\templates\policies\gpt*.*
    For this example, the syntax and the results are:
    c:\>find /i "MichaelAlexander" %SYSTEMROOT%\security\templates\policies\gpt*.*
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INF
    SeInteractiveLogonRight = TsInternetUser,*S-1-5-32-549,*S-1-5-32-550,JohnDough,*S-1-5-32-551,*S-1-5-32-544,*S-1-5-32-548
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM
    This identifies GPT00002.inf as the cached security template from the problem GPO that contains the problem setting. It also identifies the problem setting as SeInteractiveLogonRight. The display name for SeInteractiveLogonRight is “Logon locally.”

    For a map of the constants (for example, SeInteractiveLogonRight) to their display names (for example, Logon locally), see the Microsoft Windows 2000 Server Resource Kit, "Distributed Systems Guide." The map is in the "User Rights" section of the Appendix.
  5. Determine which GPO contains the problem setting. Search the cached security template that you identified in step 4 for the text "GPOPath=." In this example, you would see the following:
    GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE
    Between "GPOPath=" and "\MACHINE" is the GUID of the GPO.
  6. To find the friendly name of the GPO, use the Resource Kit utility Gpotool.exe. Type the following at the command prompt, and then press ENTER:
    gpotool /verbose
    Search the output for the GUID you identified in step 5. The four lines that follow the GUID contain the friendly name of the policy. For example:
    Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
    Policy OK
    Details:
    ------------------------------------------------------------
    DC: domcntlr1.wingtiptoys.com
    Friendly name: Default Domain Controllers Policy
    

You have now identified the problem account, the problem setting, and the problem GPO. To resolve the problem, search the Restricted Groups section of the security policy for instances of the problem account (in this example, "MichaelAlexander"), and then remove or replace the problem entry.

0x5: Access denied.

This error typically occurs when the system has not been granted the correct permissions to update the access control list of a service. This may occur if the Administrator defines permissions for a service in a policy but does not grant the System account Full Control permissions.

To troubleshoot this issue, follow these steps:
  1. Determine which service or which object is having the failure. To do this, enable debug logging for the Security Configuration client-side extension. To do this:
    1. Start Registry Editor.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
    3. On the Edit menu, click Add Value, and then add the following registry value:
      Value name: ExtensionDebugLevel
      Data type: DWORD
      Value data: 2
    4. Quit Registry Editor.
  2. Refresh the policy settings to reproduce the failure. To refresh the policy settings, type the following at the command prompt, and then press ENTER:
    secedit /refreshpolicy machine_policy /enforce
    This creates a file that is named Winlogon.log in the %SYSTEMROOT%\Security\Logs folder.
  3. At the command prompt, type the following, and then press ENTER:
    find /i "error opening" %SYSTEMROOT%\security\logs\winlogon.log
    The Find output identifies the service with the misconfigured permissions--for example, "Error opening Dnscache." Dnscache is the short name for the DNS Client service.
  4. Find out which policy or which policies are trying to modify the service permissions. To do this, type the following at the command prompt, and then press ENTER:
    find /i "service" %SYSTEMROOT%\security\templates\policies\gpt*.*".
    The following is a sample command and its output:
    d:\>find /i "dnscache" %windir%\security\templates\policies\gpt*.*
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INF
    Dnscache,3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)"
    
    ---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM
    
  5. Determine which GPO contains the problem setting. Search the cached security template that you identified in step 4 for the text "GPOPath=." In this example, you would see the following:
    GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE
    Between "GPOPath=" and "\MACHINE" is the GUID of the GPO.
  6. To find the friendly name of the GPO, use the Resource Kit utility Gpotool.exe. Type the following at the command prompt, and then press ENTER:
    gpotool /verbose
    Search the output for the GUID that you identified in step 5. The four lines that follow the GUID contain the friendly name of the policy. For example:
    Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
    Policy OK
    Details:
    ------------------------------------------------------------
    DC: domcntlr1.wingtiptoys.com
    Friendly name: Default Domain Controllers Policy
    
Now you have identified the service with the misconfigured permissions and the problem GPO. To resolve the problem, search the System Services section of the security policy for instances of the service with the misconfigured permissions, and then take corrective action to grant the System account Full Control permissions to the service.

0x4b8: An extended error has occurred.

The 0x4b8 error is generic and can be caused by a number of different problems. To troubleshoot these errors, follow these steps:
  1. Enable debug logging for the Security Configuration client-side extension. To do this:
    1. Start Registry Editor.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}
    3. On the Edit menu, click Add Value, and then add the following registry value:
      Value name: ExtensionDebugLevel
      Data type: DWORD
      Value data: 2
    4. Quit Registry Editor.
  2. Refresh the policy settings to reproduce the failure. To refresh the policy settings, type the following at the command prompt, and then press ENTER:
    secedit /refreshpolicy machine_policy /enforce
    This creates a file that is named Winlogon.log in the %SYSTEMROOT%\Security\Logs folder.
  3. See the following Microsoft Knowledge Base articles. These articles describe known issues that cause the 0x4b8 error. Click the following article numbers to view the articles in the Microsoft Knowledge Base:
    260715  (http://support.microsoft.com/kb/260715/EN-US/ ) Event ID 1000 and 1202 After Configuring Policies
    278316  (http://support.microsoft.com/kb/278316/ ) ESENT Event IDs 1000, 1202, 412, and 454 Are Logged Repeatedly in the Application Event Log

APPLIES TO
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbhotfixserver kbqfe kbhowto KB324383
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support