can't override local security settings

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

I took some bad advice and deleted the IUSER and IWAM accounts for a
long dead and removed server. Now I am getting event log error 1202
0x534, that there is a mapping error between an SID and account name.

I have looked at the KB articles on this which have been limited help.
I have found these user accounts in the local security settings with
rights to log on as a batch job etc. I'm assuming that is where the
problem lies as I use very few GPOs and do not specifically list
these accounts in the ones I do have.

I could not see how to remove them (from the logon as a batch job
right) except by defining a domain GPO which listed specific accounts
of course not including the problem ones (which don't exist in AD
anymore anyway) which could log in as batch job. I have done that
both in a new GPO at the top of the list, and also the default domain
GPO, but the local security settings do not change. They still list
these dead accounts along with others.

Why is the domain GPO not overriding the local security settings, and
also if there is a better approach to stopping these event log errors
what is it?

Am I on the wrong track being concerned that the account are in the
local security settings? If they are in a GPO they are not there by
name - how do I find the offending entry in the GPO?

Thanks,


Peter

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Found the accounts in the Default DomainControllers GPO.

Peter

On Sun, 11 Sep 2005 10:31:54 +0700, Peter Kaufman
<peterkhub-usenet@yahoo.ca> wrote:

>Hi,
>
>I took some bad advice and deleted the IUSER and IWAM accounts for a
>long dead and removed server. Now I am getting event log error 1202
>0x534, that there is a mapping error between an SID and account name.
>
>I have looked at the KB articles on this which have been limited help.
>I have found these user accounts in the local security settings with
>rights to log on as a batch job etc. I'm assuming that is where the
>problem lies as I use very few GPOs and do not specifically list
>these accounts in the ones I do have.
>
>I could not see how to remove them (from the logon as a batch job
>right) except by defining a domain GPO which listed specific accounts
>of course not including the problem ones (which don't exist in AD
>anymore anyway) which could log in as batch job. I have done that
>both in a new GPO at the top of the list, and also the default domain
>GPO, but the local security settings do not change. They still list
>these dead accounts along with others.
>
>Why is the domain GPO not overriding the local security settings, and
>also if there is a better approach to stopping these event log errors
>what is it?
>
>Am I on the wrong track being concerned that the account are in the
>local security settings? If they are in a GPO they are not there by
>name - how do I find the offending entry in the GPO?
>
>Thanks,
>
>
>Peter

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Peter,

Have you checked this out?


Troubleshooting SCECLI 1202 Events
http://support.microsoft.com/?kbid=324383

Also can you remove the IIS? Removing it might solve your problem.

br,
Denis

"Peter Kaufman" <peterkhub-usenet@yahoo.ca> wrote in message
news:u6j7i1l95en4641tl6ark4aokleoinjho2@4ax.com...
> Found the accounts in the Default DomainControllers GPO.
>
> Peter
>
> On Sun, 11 Sep 2005 10:31:54 +0700, Peter Kaufman
> <peterkhub-usenet@yahoo.ca> wrote:
>
> >Hi,
> >
> >I took some bad advice and deleted the IUSER and IWAM accounts for a
> >long dead and removed server. Now I am getting event log error 1202
> >0x534, that there is a mapping error between an SID and account name.
> >
> >I have looked at the KB articles on this which have been limited help.
> >I have found these user accounts in the local security settings with
> >rights to log on as a batch job etc. I'm assuming that is where the
> >problem lies as I use very few GPOs and do not specifically list
> >these accounts in the ones I do have.
> >
> >I could not see how to remove them (from the logon as a batch job
> >right) except by defining a domain GPO which listed specific accounts
> >of course not including the problem ones (which don't exist in AD
> >anymore anyway) which could log in as batch job. I have done that
> >both in a new GPO at the top of the list, and also the default domain
> >GPO, but the local security settings do not change. They still list
> >these dead accounts along with others.
> >
> >Why is the domain GPO not overriding the local security settings, and
> >also if there is a better approach to stopping these event log errors
> >what is it?
> >
> >Am I on the wrong track being concerned that the account are in the
> >local security settings? If they are in a GPO they are not there by
> >name - how do I find the offending entry in the GPO?
> >
> >Thanks,
> >
> >
> >Peter
>