Group Policy Event ID 1058 Error Code 1326 (The user name or password is incorrect)


  • I am seeing a very odd error on one of our domain controllers. I have dealt with Event ID 1058 errors whereby a policy (or policies) were not replicating, but we are receiving this error along with error code 1326 on this server, and it is apparently only happening with the default domain policy:

    Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          8/10/2015 3:09:54 PM
    Event ID:      1058
    Task Category: None
    Level:         Error
    User:          S-1-5-21-1484152634-2550175353-3916092219-3287
    Computer:      <DC Name>.<domainname>
    The processing of Group Policy failed. Windows attempted to read the file">
        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
        <TimeCreated SystemTime="2015-08-10T19:09:54.008905300Z" />
        <Correlation ActivityID="{E6440388-AAF9-4E59-B945-73179E2ADF3F}" />
        <Execution ProcessID="880" ThreadID="3256" />
        <Security UserID="S-1-5-21-1484152634-2550175353-3916092219-3287" />
        <Data Name="SupportInfo1">4</Data>
        <Data Name="SupportInfo2">820</Data>
        <Data Name="ProcessingMode">0</Data>
        <Data Name="ProcessingTimeInMilliseconds">3432</Data>
        <Data Name="ErrorCode">1326</Data>
        <Data Name="ErrorDescription">The user name or password is incorrect. </Data>
        <Data Name="DCName"><dcname>.<domainname></Data>
        <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=<domainname>,DC=com</Data>
        <Data Name="FilePath">\\<domainname>\sysvol\<domainname>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>

    (Some information redacted)

    Now, I haven't failed to notice that the username is listed as a SID.  Based on various queries I have done, this SID currently does not exist in our domain.

    This only replicates with one other domain controller, which is our PDC and resides in our corporate datacenter.  It almost seems like DFSR is trying to connect to some outdated DC to replicate, but I cannot find any indication of why it might be doing this.  I have already looked at the DFS Management console on this server and everything looks exactly like it does on every other DC.  The DFSR event logs are also not reporting anything wrong.

    While this doesn't appear to be hurting anything--the default domain policy IS updating in SYSVOL on this server and replication diagnostics all check out OK--I'd like to correct whatever is causing this.  Anyone run into anything similar or have any ideas?

    Monday, August 10, 2015 10:31 PM