none
secedit can not import templates with IIS Virtual Accounts specified

    Question

  • Platform: Win2008R2 SP1 64bit

    My task is to modify the existing Local Security Policy via script to add and remove IIS AppPool identities (using the virtual accounts in Win2008R2).

    If I add the users to the policy via the Local Security Policy Administrative tool, and then export the policy via secedit.exe, the result will look like

    SeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-1036420768-1044797643-1061213386-2937092688-4282445334,DefaultAppPool

    Note the user account is listed as a username, and not a SID.

    If I create a security template using the Security Template MMC snap-in, and save the .inf, the result is the same, the user is saved as 'DefaultAppPool'

    So both tools, treat this type of account the same.  And it should be noted, there is no problem adding/removing this account via the Local Security Policy tool under administrator tools.

    But any attempt to import a policy via secedit with any IIS Application Pool account names in the file will result in errors.

    using secedit.exe /configure /db secedit.sdb /cfg c:\test.inf

    In the scesrv log it will say:

    Configure DefaultAppPool

    ERROR 1332: No mapping between account names and security IDs was done.

    And when you open the Local Security Policy tool, the account 'DefaultAppPool' is not listed in the polices any longer.

    I've tried adding the account via SID by manually modifying the inf file and adding in *S-blah-blah

    Doing that, I can get the names to show up in the Local Security Policy tool - but then there appears to be an inconsistency as the tool will error if you try to edit the policy leading to entries missing.

    It appears that the secedit /configure option refuses to accept Virtual Accounts

    If I repeat the same tests with a normal local user account, the tool will update the policy successfully (but it will still complain in the log about DefaultAppPool on other existing entries)

    Monday, June 25, 2012 3:37 PM

Answers

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    Here is another thread with the same "1332" error. I suggest we check the information in this thread to see if it can be helpful in your situation.

    Winlogon.log - No mapping between account names and SIDs

    http://social.technet.microsoft.com/Forums/sr/windowsserver2008r2general/thread/b343f260-e3a4-4c9b-8024-a0e3ac9dc163

    Regards

    Kevin
    Wednesday, June 27, 2012 3:59 AM
  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    Here is another thread with the same "1332" error. I suggest we check the information in this thread to see if it can be helpful in your situation.

    Winlogon.log - No mapping between account names and SIDs

    http://social.technet.microsoft.com/Forums/sr/windowsserver2008r2general/thread/b343f260-e3a4-4c9b-8024-a0e3ac9dc163

    Regards

    Kevin

    Hi, a link in that thread shows a very similar error - with possibly the same root cause - but it doesn't solve my issue.

    The kb at http://support.microsoft.com/kb/977695  - sounds identical, except related to Group Policy Template editing instead of Local Security Policy editing.  I also can't relate the workaround because I don't have GPO templates to edit.  Using the secedit command line to import also results in the same error.. even if I use the SID instead of account name.

    However the hotfix linked in that kb will not apply itself to my win2008R2SP1 64bit install.  The installer checks itself and says it doesn't apply.  I don't know if that's because this hotfix is rolled into someone later?  The box is fully updated with all important and optional updates from windows update.

    Wednesday, June 27, 2012 4:00 PM
  • Turns out this is a bug in Windows.

    Hotfix available at http://support.microsoft.com/kb/2411938

    • Marked as answer by skapinos Thursday, June 28, 2012 1:48 PM
    Thursday, June 28, 2012 1:48 PM
  • Hi,

    Thanks for sharing your solution with us. It can be helpful to other community members who face similar problems.

    Have a nice day.
      
    Best Regards
      
    Kevin
    Friday, June 29, 2012 1:55 AM