none
SBS 2011 - SceCli event 1202 for user "DefaultAppPool

    Question

  • I recently installed SBS 2011 (migrated from SBS 2003), including SP1 and all updates.

    I am getting an error in the event log SceCli, event ID 1202.

    FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

    Showed that the offending account is DefaultAppPool.

    RSoP.msc shows that DefaultAppPool indeed is included in several user rights assignments in the Domain Controller Security Policy.

    Google brought me to http://support.microsoft.com/kb/977695 - but this hotfix is already applied.

    Is it safe to simply delete DefaultAppPool from the offending user rights assignments, or is there a better recommended fix for it?

    Thanks!

     

    Log Name:      Application

    Source:        SceCli
    Date:          3/7/2011 1:25:13 AM
    Event ID:      1202
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      ARCSERV.arc.local
    Description:
    Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

    Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

    Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

    1.    Identify accounts that could not be resolved to a SID:

    From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

    The string following "Cannot find" in the FIND output identifies the problem account names.

    Example: Cannot find JohnDough.

    In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

    2.    Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

    a.    Start -> Run -> RSoP.msc
    b.    Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
    c.    For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

    3.    Remove unresolved accounts from Group Policy

    a.    Start -> Run -> MMC.EXE
    b.    From the File menu select "Add/Remove Snap-in..."
    c.    From the "Add/Remove Snap-in" dialog box select "Add..."
    d.    In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
    e.    In the "Select Group Policy Object" dialog box click the "Browse" button.
    f.    On the "Browse for a Group Policy Object" dialog box choose the "All" tab
    g.    For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

    Monday, March 07, 2011 10:23 AM

Answers

  • Hi,

     

    DefaultAppPool is related to IIS. You may not remove it.

     

    I realize that you already have the hotfix KB977685 applied, but the issue persists. But have you tried the following workaround?

     

    To work around this issue, add the prefix to the service accounts manually by editing the GptTmpl.inf file. For the IIS identities, add the "IIS AppPool\" prefix. The following are some samples of an IIS identity:

     

    l  DefaultAppPool

    l  Classic .NET AppPool

     

    For the detailed information, please refer to the following Microsoft KB article:

     

    The SceCli 1202 events are logged when some Group Policy settings are refreshed in Windows Server 2008 R2 and in Windows 7

    http://support.microsoft.com/kb/977695

     

    For more troubleshooting information, please also refer to the Microsoft KB article below:

     

    Troubleshooting SCECLI 1202 Events

    http://support.microsoft.com/kb/324383

     

    Regards,

     

    Arthur Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by kkeane Wednesday, March 09, 2011 4:20 PM
    Tuesday, March 08, 2011 2:52 AM
    Moderator

All replies

  • Hi,

     

    DefaultAppPool is related to IIS. You may not remove it.

     

    I realize that you already have the hotfix KB977685 applied, but the issue persists. But have you tried the following workaround?

     

    To work around this issue, add the prefix to the service accounts manually by editing the GptTmpl.inf file. For the IIS identities, add the "IIS AppPool\" prefix. The following are some samples of an IIS identity:

     

    l  DefaultAppPool

    l  Classic .NET AppPool

     

    For the detailed information, please refer to the following Microsoft KB article:

     

    The SceCli 1202 events are logged when some Group Policy settings are refreshed in Windows Server 2008 R2 and in Windows 7

    http://support.microsoft.com/kb/977695

     

    For more troubleshooting information, please also refer to the Microsoft KB article below:

     

    Troubleshooting SCECLI 1202 Events

    http://support.microsoft.com/kb/324383

     

    Regards,

     

    Arthur Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by kkeane Wednesday, March 09, 2011 4:20 PM
    Tuesday, March 08, 2011 2:52 AM
    Moderator
  • I have a very similar issue on a SBS 2008 server. The hotfix you mentioned does not apply to SBS. In my case it points to the defaultapppool and dummyapppool. Not sure if this is related but I'm also getting lots of "A process serving application pool 'SBS Web Applications application pool' exceeded time limits during shut down. The process id was '16084'." I can's see what process it was because at the time of checking it's no longer there. Is the any other solution?

    yaro

    Tuesday, March 08, 2011 4:02 PM
  • Arthur,

    Thank you for your help! I edited the GptTmpl.inf and will see how it goes - but it sounds like that will indeed resolve the issue. I overlooked the note in the hotfix KB that you still have to edit the GptTmpl.inf file.

    By the way, to keep others who see this post from a wild goose chase, there is a typo in the KB number. It should be KB977695, not 85.

    Thanks again!

    Kevin

     

    Wednesday, March 09, 2011 4:20 PM
  • Final update: thanks very much for your help! Since making the change to GptTmpl.inf, the problem has indeed completely disappeared.

     

    Monday, March 14, 2011 12:18 AM
  • So I guess I can ignore the bit that says it only applies to Windows 2008 R2 and Win7. Still when I try to modify the Dummyapppool identity I'm getting a pop-up saying that this account could not be validated.

    yaro


    yaro
    Thursday, March 24, 2011 9:58 AM
  • Yaro,

    You must use a text editor to edit the GptTmpl.inf file; you cannot make this change in any GUI tool. There is no validation of you use a text editor.

    Hope that helps!

     

    Thursday, March 24, 2011 5:29 PM
  • Yeah but in the Default Domain Controller policy I found the DefaultAppPool and the Dummyapppol accounts. I modified the GptTmpl.inf file as suggested and removed the DefaultAppPool user in that policy replacing it with the IIS App\DefaultAppPool and all worked fine for this identity. I'm still getting the SeCli events although much less of them and when running

    FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log 

    I'm now only getting only

    Cannot find Dummyapppool.
    Cannot find IIS AppPool\Dummyapppool.

    What is that Dummyapppool and can it be just removed both from the .inf file and the GPO?

    yaro


    yaro

    Friday, March 25, 2011 5:03 PM