Finally Gone!

Wednesday, August 28, 2002

For months I have been dealing with this error on my Windows 2000 server, configured as a Domain Controller. I've rebuilt the system a couple times in the interim, and this just kept coming up every 5 minutes in my Application Event log. Very annoying.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000

Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).


Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202

Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.

After many attempts at several things, I found the solution:;EN-US;q247482. In my case, the Power Users group didn't exist for some reason. All I had to do was recreate that group, restart the Netlogon service, and the messages are gone!


To resolve this issue, follow these steps:

  1. Add the ExtensionDebugLevel DWORD value with the value data 2 to the following registry key:
    NOTE: In the registry key, any GUID starting with "{827".

  2. Under the command window, type secedit /refreshpolicy machine_policy /enforce to generate the Winlogon.log file in the Windows_folder\Security\Logs folder.
  3. Restart the Netlogon service.
  4. Search the Winlogon.log file for deleted user accounts.
  5. Confirm that this user account is not located in any of the User Rights Assignments in the Default Domain Controllers policy as well as in the Local Security Policy, under the effective settings column.

Oh, and I was getting lots of messages about DNS registrations failing. I don't have dynamic DNS capabilities with my ISP, so I found a great article on how to turn them all off:;en-us;Q246804 (jump down to the "All Registrations" section):

All Registrations

To disable all registrations performed by Netlogon, use the following registry key (a restart of the Netlogon service is required, although a reboot is preferred):

This determines whether the Netlogon service on this domain controller uses DNS dynamic updates. Netlogon can use DNS dynamic updates to register DNS names identifying the domain controller. DNS dynamic updates provide automatic updates of zone data, such as DNS names, on the zone's primary server whenever an authorized zone server requests an update. It supplements the static, manual method of adding and changing zone records. The DNS dynamic update protocol is defined in RFC 2136.

Value Meaning -------------------------------------------------------------
0 Netlogon does not use DNS dynamic updates. Records specified in the Netlogon.dns file must be registered manually in DNS.
1 Netlogon uses DNS dynamic updates to register the names identifying this domain controller.

You might consider disabling Netlogon's use of DNS dynamic updates if your DNS servers do not support DNS dynamic updates or to eliminate the network traffic associated with periodic registration of Net Logon's DNS records.

This entry is supported on domain controllers only. Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

To make the changes to this value effective, delete %SYSTEMROOT%\system32\config\netlogon.dnb, and then restart the Netlogon service. A restart of Windows 2000 is preferred.