W2K server ошибка, Код события: 1202
Rossomaha
Каждые пол часа в "Журнал приложений" пишется две ошибки:
------------------
Тип события: Ошибка
Источник события: Userenv
Категория события: Отсутствует
Код события: 1000
Дата: 02.12.2002
Время: 14:32:11
Пользователь: NT AUTHORITY\SYSTEM
Компьютер: SERVER
Описание:
Клиентское расширение Security групповой политики передало флаги (17) и
возвратило код ошибки (1332).
---------------------
Тип события: Предупреждение
Источник события: SceCli
Категория события: Отсутствует
Код события: 1202
Дата: 02.12.2002
Время: 14:32:11
Пользователь: Нет данных
Компьютер: SERVER
Описание:
Выполнено распространение политики безопасности с предупреждением. 0x534 :
Именам пользователей не сопоставлены коды защиты данных.
Дополнительные сведения содержатся в разделе "Устранение неполадок" справки
по безопасности.
------------------
--
Rossomaha
[ ЗА IP БЕЗ ЦЕНЗУРЫ ]
Victor Fedorchenko
Mon Dec 02 2002 14:49, Rossomaha wrote to All:
R> From: "Rossomaha" <ross...@comtv.ru>
R> Подскажите плиз где собака зарыта.
R> Каждые пол часа в "Журнал приложений" пишется две ошибки:
R> ------------------
Вот на http://www.eventid.net нашел следующее :
Event ID: 1202
Source SceCli
Type Warning
Description Security policies are propagated with warning. <error code> :
<error description>. Please look for more details in TroubleShooting section
in Security Help.
Comments Adrian Grigorof: For mapping error codes to description use net
helpmsg #<error code in decimal>.
Bob Bostwick: This event can also happen if you rename the Administrator
account. To resolve the issue create an account named Administrator and
disable it.
Adrian Grigorof: Error code 0x534 (decimal 1332)- "No mapping between account
names and security IDs was done.":
A program was installed, which creates user accounts and assigns rights to
those user accounts. Later, the program was removed,the user accounts deleted,
but the rights from policy before the accounts were still there. A user
account is added and rights assigned to the account. The account is deleted,
but not from security policies. The "0x534" code is the hex for "1332".
Following the suggestions in Q247482 (see the link below) helps. Make sure you
check the domain, domain controllers and local group policies.
Adrian Grigorof: Q256000 is no longer available but here is what it used to
say:
"Q256000 - Error Messages After Importing Basicdc.inf into Group Policy
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Symptoms:
After you import the Basicdc.inf file into the default domain controllers
Group Policy object (GPO), the following error messages may be generated.
Application log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 3/1/2000
Time: 6:16:43 PM
User: NT AUTHORITY\SYSTEM
Computer: COMPUTERNAME
Description: The Group Policy client-side extension Security was passed flags
(17) and returned a failure status code of (13).
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 3/1/2000
Time: 6:16:43 PM
User: N/A
Computer: COMPUTERNAME
Description: Security policies are propagated with warning. 0xd : The data is
invalid. Please look for more details in TroubleShooting section in Security
Help.
Winlogon.log:
Error 13: The data is invalid. Error convert %SYSVOL%\DOMAIN\POLICIES.
Error 13: The data is invalid. Error converting section File Security.
Userenv.log:
ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0xd.
Cause
This behavior occurs because three system environment variables (%SYSVOL%,
%DSDIT%, and %DSLOG%) are referenced within the Basicdc.inf file, but exist
only during the Dcpromo process. These error messages are generated each time
the Default Domain Controllers policy is applied.
Resolution
To resolve this issue:
At a command prompt, type net share sysvol, and then press ENTER. Note the
path that is returned.
Right-click My Computer, and then click Properties.
On the Advanced tab, click Environment Variables.
In the System Variables section, click New.
In the Variable Name box, type SYSVOL.
In the Variable Value box, type the path that you noted in step 1, minus the
last "\sysvol" item.
Repeat these steps to create the %DSDIT% and %DSLOG% variables.
You can view these variables in the registry under the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameter
For example:
Database log files path:REG_SZ:C:\WINNT\NTDS (%DSLOG% equals C:\WINNT\NTDS)
DSA Working Directory:REG_SZ:C:\WINNT\NTDS (%DSDIT% equals C:\WINNT\NTDS)
At a command prompt, type the following command, and then press ENTER:
secedit /refreshpolicy machine_policy /enforce
Examine the Userenv.log file, Winlogon.log file, and Application event log.
The error messages should no longer occur.
If the error messages persist, restart the computer and confirm that the error
messages no longer occur.
Status:
Microsoft has confirmed this to be a problem in the Microsoft products that
are listed at the beginning of this article."
Please note that this Q article has been removed by Microsoft from their
Knowledgebase so it may not be applicable anymore.
Liz: If you are getting event ID 1000 & 1202 every 5 minutes, then it also may
be to do with IIS. If you have removed IIS & SMTP server then check that the
DC has removed the IWAM & IUSR users from the security policy. Go into Domain
Controller Security Policy, Security Settings, Local Policies, User rights
Assignment & make sure that these users are taken out of any policies they are
still in. Then run "secedit /refreshpolicy machine_policy /enforce" from the
command prompt & your errors should disappear.
Paul Rinear: Error code: 0xd (decimal 13) - "The data is invalid.": There are
two situations where I've experienced this problem:
1) Domain Controllers - 1202 and 1000 every 5 minutes - the problem is due to
missing SYSVOL, DSDIT, and DSLOG environment variables and the fix is
described in the Microsoft Knowledge Base (Q256000)
2) Workstations and member servers - 1202 and 1000 errors about every 2 hours.
If you turn on the ExtensionDebugLevel (as described in Knowledge Base article
Q245422) and look in winlogon.log, you see near the end that it fails on
%DSDIT%. [..] Situation 2 can occur by unknowingly applying the basicdc.inf
security template to the entire domain instead of to just the domain
controllers. When this happens, there will be references in the applied domain
security template to DSDIT, DSLOG, and SYSVOL, even thoough these and their
directories only exist on domain controllers. To get rid of the error in
Situation 2, these references must be removed. I find the easiest way to do
this is the following:
Open up Domain Security Policy tool (or whatever topmost container holds the
computers giving you the errors), right click on Security Settings, choose
Import Policy, make sure you check the box that says "Clear this Database
before importing" (otherwise the changes are just additions to the settings
that are already there), then choose "setup security.inf". This will get you
back pretty close to default, losing any customizations you made (that weren't
being applied anyway).
In about 5 minutes, all your domain controllers should pick up the change.
Your workstations and member servers will pick them up much later, unless you
do a "secedit /refreshpolicy machine_policy /enforce" at a command prompt on
each of these machines.
Ron Wilkins: Error code 0x534 (decimal 1332)- "No mapping between account
names and security IDs was done.": A removal of IIS 5 from the server creates
this error and EVent ID 1000 every 5 minutes as well. An install adds the iusr
accounts to the security policy, but an uninstall does not remove them.
Anja Ahrens: Error code: 0x4b8 - "An extended error has occurred.". See
Q278316.
Cath: Error code 0x6fc - "The trust relationship between the primary domain
and the trusted domain failed." See Q279432.
Links Q247482 , Q256000 , Q245422 , Q279432 , Q279432 , Q278316
С уважением, Виктор! e-mail: vic...@dp.ukrtelecom.net