Categories: Windows Server

SOLVED: How To Troubleshoot Source SceCli Event 1202 Security Policies Were Propagated With Warning. 0x534 : No Mapping Between Account Names and Security IDs Was Done

This error is telling you that there is an account that was most likely deleted from Active Directory but is still mentioned in a Group Policy. You have to find that group policy and look for an entry that contains only a SID (a hash of numbers and letters), but not a name and this is easier to do than you might think.

For the sake of clarity here is the full error in from the Application Event Log

Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for “troubleshooting 1202 events”.

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.

To find the broken account:

  1. Start a CMD AS AN ADMINISTRATOR
  2. Type RSOP.MSC and press ENTER
  3. Notice the bang (yellow triangle with exclamation mark) and expand COMPUTER CONFIGURATION > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICIES
    • > USER RIGHTS ASSIGNMENT and
    • > RESTRICTED GROUPS
  4. Double click on any GPO with a red X on it and click the PRECEDENCE tab
    • That tab tells you which GPO’s are creating the entries.
    • To find the problem you have to then look at each of the GPO’s
      • As shown in the screen shot, in my case the problem was on the second GPO, DEFAULT DOMAIN CONTROLLERS POLICY
  5. On a Domain Controller, launch GROUP POLICY MANAGEMENT EDITOR
  6. Expand the offending GPO
  7. Double click on the GPO, find the SID entry and click REMOVE
    • As NOT shown in the screenshot, I also had to remove an account named BACKUP_SERVICE that did not exist locally or on the domain from the DEFAULT DOMAIN POLICY

At this point you could run a GPUPDATE /FORCE on the machine(s) recording their errors in their event logs and see that there are no new entries.

Leave a Comment
Published by
Ian Matthews
12 months ago

This website uses cookies.