Monday, February 12, 2007

Swing Migration Creates SceCli Event 1202 Errors in the Event Log

Problem: After you perform a Swing Migration your Application event log fills up with these little buggers.

Event Type: Warning
Event Source: SceCliEvent
Category: None
Event ID: 1202
Date: 2/12/2007
Time: 9:51:13 AM
User: N/A
Computer: SERVER
Description:Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
Advanced help for this problem is available on Query for "troubleshooting 1202 events".
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions:
1. Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").
2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:
a. Start -> Run -> RSoP.mscb. Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.c. For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.
3. Remove unresolved accounts from Group Policy
a. Start -> Run -> MMC.EXEb. From the File menu select "Add/Remove Snap-in..."c. From the "Add/Remove Snap-in" dialog box select "Add..."d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"e. In the "Select Group Policy Object" dialog box click the "Browse" button.f. On the "Browse for a Group Policy Object" dialog box choose the "All" tabg. For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

You could go through all these steps and identify which user is could the problem or you could just keep reading.

The problem lies in the IWAM and IUSR account that you deleted during the Swing Migration cleanup. These two account still are assigned rights in the Default Domain Controller policy. To fix the error you need to remove their rights from

Access this computer from the network
Adjust memory quotas for a process
Log on as a batch job

Now send me a Starbucks card for the time I just saved you!

AutoEnrollement 0x80040154 Errors After Performing A Swing Migration

Several times I have done a Swing Migration and come up with the following error in the application event log.

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 2/12/2007
Time: 10:10:52 AM
User: N/A
Computer: SERVER
Description:Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80040154). Class not registered

There is not much out there on error 0x80040154, but I did find one news group post that solved the issue. Funny thing is I didn't find it by searching for 0x80040154 even though it was in the title of the post.

As a precaution I exported the certificates prior to deleting them.

1. Open mmc / add certificates snapin for local computer account.
2. Expand certificates.
3. Under Trusted root cert auth in certificates container you will find certificate that was created when you built you old server.
4. Select the certificate and delete it.