locked
Winlogon.log - No mapping between account names and SIDs

    Question

  • I have a new Server 2008 R2 BDC emulator with RDS installed, and IIS, but I haven't configured it for TS Web yet - probably will do so in the future.  RDS works fine, and the server seems OK except for SceCli Error 1202 every 5 minutes.  Here's the pertinent part of the winlogon.log file that describes the problem:

    ================

    ----Configure User Rights...
     Configure RDWebAccess.
    Error 1332: No mapping between account names and security IDs was done.
      Cannot find RDWebAccess.
     Configure DefaultAppPool.
    Error 1332: No mapping between account names and security IDs was done.
      Cannot find DefaultAppPool.
     Configure S-1-5-21-3563429300-1458903267-4081849566-2714.
     Configure S-1-5-21-3563429300-1458903267-4081849566-1609.
     Configure S-1-5-21-3563429300-1458903267-4081849566-1004.
     Configure S-1-5-20.
      remove SeChangeNotifyPrivilege.
    Error 50: The request is not supported.
     Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors.
      remove SeChangeNotifyPrivilege.
    Configuring SeChangeNotifyPrivilege for this account is not supported.
     Configure S-1-5-19.
      remove SeChangeNotifyPrivilege.
    Error 50: The request is not supported.
     Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors.
      remove SeChangeNotifyPrivilege.
    Configuring SeChangeNotifyPrivilege for this account is not supported.
     Configure S-1-5-21-3563429300-1458903267-4081849566-2715.
     Configure S-1-5-21-3563429300-1458903267-4081849566-4609.
     Configure Classic .NET AppPool.
    Error 1332: No mapping between account names and security IDs was done.
      Cannot find Classic .NET AppPool.

    ===================

    When I check RSOP, the security references come from the Default Domain Controllers Policy.  I don't understand what to do, and I don't want to break the functionalities that are working.  The RDWebAccess account in the IIS Classic.NET AppPool has somehow been assigned rights without a mapping to a legitimate user SID.

    Is this normal?  Should I delete the rights assigned to RD WebAccess in the Default DC Policy (prefer not to mess with it) - or should I fix something that went wrong during the TS Web setup when I installed Remote Desktop Services??

    Thursday, April 22, 2010 8:01 PM

Answers

All replies

  • You can have a look at that link: http://support.microsoft.com/kb/324383
    With kind regards
    Krystian Zieja
    http://www.projectnenvision.com
    Follow me on twitter
    My Blog
    • Marked as answer by dmburns Thursday, April 29, 2010 8:47 AM
    Friday, April 23, 2010 3:38 AM
  • Thanks Kristian.  The link you provided applies to Windows 2000, including the Hotfix.  However, persistence led me to similar information in http://support.microsoft.com/kb/977695 - which applies specifically to this recurring bug in Windows 7 and Server 2008 R2.

    Why Microsoft keeps releasing its GPO infrastructure with this bug and then hotfixing it for each generation of OS is mystifying.  . . . no it's not.

    Anyway, the hotfix was easy to get and has been applied to all the DCs in the domain.  And the AD objects have been tweaked.  I've run it for a week, and the fix seems solid.  Thanks again for the lead.

    Thursday, April 29, 2010 8:53 AM