在我的Windows Server 2003 EE的域控制器上每隔5分钟就出现一个事件ID 1202的警告事件(警告图片和描述附下),并且在域成员的计算机上也是如此。虽然这个警告不影响域的正常工作,但困扰了我好几个月之久。今天认认真真的把警告信息看完,终于让这个讨厌的警告在事件日志中完全消失。
 
警告截图:
 
警告事件 ID 1202 每隔 5 分钟 记录到事件日志 解决方法_解决
 
描述信息:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
 
Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".
 
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:
 
1.      Identify accounts that could not be resolved to a SID:
 
From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log
 
The string following "Cannot find" in the FIND output identifies the problem account names.
 
Example: Cannot find JohnDough.
 
In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").
 
2.      Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:
 
a.      Start -> Run -> RSoP.msc
b.      Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.      For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.
 
3.      Remove unresolved accounts from Group Policy
 
a.      Start -> Run -> MMC.EXE
b.      From the File menu select "Add/Remove Snap-in..."
c.      From the "Add/Remove Snap-in" dialog box select "Add..."
d.      In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.      In the "Select Group Policy Object" dialog box click the "Browse" button.
f.       On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.      For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
解决方法参考日志的建议,操作过程如下:
1、  识别不能解析SID 帐户,在日志中找不到这样的用户,所以判 断并不是这个原因引起的。
2、  检查工作不正常的域策略
A、开始--—rsop.msc
B、查看计算机配置\Windows 设置\安全设置\本地策略\用户权限分配计算机配置\Windows 设置\安全设置\本地策略\受限制的组的结果,查找用红色的 X 标记的。在对应位置里找到了有X标记的错误内容:
 
警告事件 ID 1202 每隔 5 分钟 记录到事件日志 解决方法_记录_02
 
打开这个X标志的属性,选择第二个“优先权”查看,这个应用的策略位置为“默认的域策略”
 
警告事件 ID 1202 每隔 5 分钟 记录到事件日志 解决方法_解决_03
 
 
C、在域控制器上,打开组策略编辑器,找到对应策略的应用位置,将这个错误的账号删除并添加正确的用户组或者选择不定义该策略即可。
我这里选择不定义,问题得到解决。
 
警告事件 ID 1202 每隔 5 分钟 记录到事件日志 解决方法_日志_04