Finally Gone!

Wednesday, August 28, 2002

For months I have been dealing with this error on my Windows 2000 server, configured as a Domain Controller. I've rebuilt the system a couple times in the interim, and this just kept coming up every 5 minutes in my Application Event log. Very annoying.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000

Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).

and

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202

Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.

After many attempts at several things, I found the solution: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q247482. In my case, the Power Users group didn't exist for some reason. All I had to do was recreate that group, restart the Netlogon service, and the messages are gone!

Resolution

To resolve this issue, follow these steps:

1. Add the ExtensionDebugLevel DWORD value with the value data 2 to the following registry key:
   HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtension\827...
   NOTE: In the registry key, any GUID starting with "{827".
   
   
2. Under the command window, type secedit /refreshpolicy machine_policy /enforce to generate the Winlogon.log file in the Windows_folder\Security\Logs folder.
3. Restart the Netlogon service.
4. Search the Winlogon.log file for deleted user accounts.
5. Confirm that this user account is not located in any of the User Rights Assignments in the Default Domain Controllers policy as well as in the Local Security Policy, under the effective settings column.

Oh, and I was getting lots of messages about DNS registrations failing. I don't have dynamic DNS capabilities with my ISP, so I found a great article on how to turn them all off: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q246804 (jump down to the "All Registrations" section):

All Registrations

To disable all registrations performed by Netlogon, use the following registry key (a restart of the Netlogon service is required, although a reboot is preferred):

UseDynamicDns
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Data type: REG_DWORD
Range: 0 - 1
Default value: 1

This determines whether the Netlogon service on this domain controller uses DNS dynamic updates. Netlogon can use DNS dynamic updates to register DNS names identifying the domain controller. DNS dynamic updates provide automatic updates of zone data, such as DNS names, on the zone's primary server whenever an authorized zone server requests an update. It supplements the static, manual method of adding and changing zone records. The DNS dynamic update protocol is defined in RFC 2136.

Value Meaning -------------------------------------------------------------
0 Netlogon does not use DNS dynamic updates. Records specified in the Netlogon.dns file must be registered manually in DNS.
1 Netlogon uses DNS dynamic updates to register the names identifying this domain controller.

You might consider disabling Netlogon's use of DNS dynamic updates if your DNS servers do not support DNS dynamic updates or to eliminate the network traffic associated with periodic registration of Net Logon's DNS records.

This entry is supported on domain controllers only. Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

To make the changes to this value effective, delete %SYSTEMROOT%\system32\config\netlogon.dnb, and then restart the Netlogon service. A restart of Windows 2000 is preferred.

9 Comments

• Renaat De Meerleer: Hey, This was the solution I was looking for for about 2 weeks now. Thx a lot!! (commented on 9/8/2002 7:44:34 AM)
• samir: I searched for a solution to the same problem for a long time. Your solution worked - just addedd the "power Users" group to the domain and restarted Netlogon. Thanks (commented on 9/23/2002 9:09:43 AM)
• Volker Kraeft: Thank you! Thank you!! Thank you!!! It REALLY works! (commented on 9/24/2002 5:32:41 AM)
• Cerw1n: Nice Job that fixed my issue to. The microsoft fix forgot to mention you need to create the power user group or the group that is causing the problem. Thanks (commented on 9/26/2002 3:51:25 PM)
• Marc Macchiaverna: How do you just "create a power user group”? I can create a group called power user on the server, but what about the permissions that a power user has. That group doesn't have writes and permissions just b/c it is called "power user." However, it is possible to create a power user on the local machine, but there is no power user in the groups list on my win2k server. How do you properly create the "power user" group that has the real permissions on the server? I would really really appreciate any iformation on this topic! (commented on 11/13/2002 4:58:47 PM)
• David LaRocque: Actually, that is all I did: create a Power Users group. The error messages occur because the permissions are there for the group, but can't find it. So, when you create a group called Power Users, it finds it, and is then OK. That's probably a lame explanation, but that's all I had to do to get it to work! (commented on 11/14/2002 8:46:07 PM)
• Joe Amaral: Thank you for saving me weeks! My domain security policy became corrupt and every attempt I made to revive it failed. Finally scratched it and created a new one. Once this was complete, I guess I somehow lost all of Power Users. I can't believe it fixed it by just creating the group. I'm thinking this took place when I ran an Ad/prep - forestprep Ad/prep - domain prep. Am trying to migrate to 2003. Thank you again! Joe Amaral (commented on 11/14/2003 6:21:11 PM)
• Christian Christiansson: Awesome solution! Applied successfully-got goosebumps! (commented on 12/19/2003 1:55:24 PM)
• Ray: Another option, which has just worked for me, is to remove all references to the Power Users group from the local security policy of the newly created DC. (commented on 12/26/2003 2:51:37 PM)

Comments are closed for this article.