none
SceCli 1202 events are logged every time Computer Group Policy settings are refreshed

    Question

  • I have an Issue with a new Windows Server 2012 R2  Standard DC and am getting the SceCli 1202 events logged every time Computer Group Policy settings are refreshed.  I have looked over these two and the part that seems to be eluding me is that there is no winlogin.log file. 

    https://support.microsoft.com/en-us/kb/974639/en-us

    https://support.microsoft.com/en-us/kb/2000705/en-us

    Following the rest, of the KB I see that I have the Computer Configuration/Windows Settings/Security Settings/local Policies/User Rights Assignments/Log On As Service listed with the Red X. 

    Though Looking at the users int he list, all are accounted for in AD.  There were several others in Computer Configuration/Windows Settings/Security Settings/local Policies/User Rights Assignments/XYZ that had S-#-#-#_# that I removed, though Log On As Service is the only one listed with the Red X. 

    The Error Information in the RSOP also lists the same Error as the Event log:

    Security has requested to process its policy settings again.  This can be due to non-critical errors occurring during the previous processing of policy. Additional Information: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

    Since I don't have the WINLOGON.Log file. I don't know which user in the list is the potential issue. Not sure where to go form here.

    Tuesday, March 24, 2015 8:24 PM

All replies

  • > Since I don't have the WINLOGON.Log file.
     
    Where did you look for it?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, March 25, 2015 7:54 AM
  • C:\windows\security\logs I believe (not in front of the event log where it said to look)
    Wednesday, March 25, 2015 1:26 PM
  • > C:\windows\security\logs I believe (not in front of the event log where
    > it said to look)
     
    That's the correct path - did you access it from an elevated prompt?
    I've never seen a windows box not writing this winlogon.log (since W2K,
    of course :-D)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, March 25, 2015 3:54 PM
  • I thought it was Odd too.  I've logged into that DC several times as I had to reboot several times to get all the updated applied. It is a new DC.  With some further checking, none of the 2012 R2 servers have the file. 2012 and the 2008 R2 servers do.   Did 2012 R2 move it or turn off logging by default?

    Am I missing something?


    Wednesday, March 25, 2015 5:51 PM
  • Okay so a Bit further.

    Knowing that its not there on 2012 R2, Google returned this: http://windows.ittips.eu/2014/03/no-winlogonlog-file.html

    So now I have the winlogon.log file and it contained this

    Configure MSSQL$MICROSOFT##WID.
    Error 1332: No mapping between account names and security IDs was done.
      Cannot find MSSQL$MICROSOFT##WID.

    Looking at all other DCs, looks like this is an issue on all of them with the same user and error.   The Googling I found says to uninstall the thing that uses WID and then reinstall it.   Not really sure I want to go that far.   Can I just install something on a DC that uses it to fix the issue?

    Wednesday, March 25, 2015 6:11 PM
  • So not sure of the Ramifications here, though I installed WID on the new DC, no change in gpupdate. Going into services I saw that the WID service  was logging in as: NT SERVICE\MSSQL$MICROSOFT##WID.   The GPO has NT SERVICE\ALL SERVICES in it, so that should cover it, though just to be sure I also added NT SERVICE\MSSQL$MICROSOFT##WID to the list then removed just the "MSSQL$MICROSOFT##WID" entry. Guess I will have to reboot all of the DCs to see if there is something that will break because of this. 

    Wednesday, March 25, 2015 6:42 PM
  • > Knowing that its not there on 2012 R2, Google returned
     
    Now that you mention this, I remember: We have a custom ADMX template
    that enables this, and it's enabled for all computers... :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, March 26, 2015 10:58 AM