Event ID 6145: Other Policy Change Events Expand / Collapse
Author
Message
Posted 8/30/2010 5:43:46 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/30/2010 1:04:46 PM
Posts: 2, Visits: 0
We are receiving the following audit failure in the Security log every 5 minutes:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/30/2010 3:40:10 PM
Event ID:      6145
Task Category: Other Policy Change Events
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DomainControllerName
Description:
One or more errors occured while processing security policy in the group policy objects.

Error Code: 1332
GPO List:
{6AC1786C-016F-11D2-945F-00C04fB984F9} Default Domain Controllers Policy
31B2F340-016D-11D2-945F-00C04FB984F9} Default Domain Policy


The audit failure appears to have started on 8/19 after a 4717 event:


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/19/2010 1:44:43 PM
Event ID:      4717
Task Category: Authentication Policy Change
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DCNAME.DOMAIN.LOCAL
Description:
System security access was granted to an account.

Subject:
 Security ID:  SYSTEM
 Account Name:  DOMAINCONTROLLERNAME$
 Account Domain:  DOMAIN
 Logon ID:  0x3e7

Account Modified:
 Account Name:  BUILTIN\Guests

Access Granted:
 Access Right:  SeDenyRemoteInteractiveLogonRight


I was reviewing the security logs that day (as noted in my journal), researching events.  I remember making a change to the DC GP, but not what or why (not noted in my journal).

What is causing the 6145 errors?  A conflict between the DC GP and the local security policy?  Doesn't the GP over ride local policy?

I am new to Windows 2008 server, and the learning curve has been steep.  Previously used a W2K DC.

Thanks!

Jerry S.

Post #452
Posted 8/31/2010 10:50:21 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/30/2010 1:04:46 PM
Posts: 2, Visits: 0
OK, I found the issue causing the 6145 errors.

Was doing some more troubleshooting this AM, and came across a Warning.  This warning was propagating at the same 5 minute intervals as the 6145 errors:

Log Name:      Application
Source:        SceCli
Date:          8/31/2010 8:37:54 AM
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      IFBDC.ifb.local
Description:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1. Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a. Start -> Run -> RSoP.msc
b. Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c. For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3. Remove unresolved accounts from Group Policy

a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in..."
c. From the "Add/Remove Snap-in" dialog box select "Add..."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse" button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g. For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.


Fortunately, it was embedded with troubleshooting instructions.

Our "Guest" account is renamed.  When I was adding users to the Security Settings>Local Policies>User Rights Assignments>Deny log on through Remote Desktop Services, I misspelled the renamed "Guest" account name.  Removed the misspelled name, then "browsed" for the correct account, and the errors stopped.

Also, I found "Error 1332" in the winlogon.log file: 

Error 1332: No mapping between account names and security IDs was done.
  Cannot find "misspelled account".

Thanks!

Jerry S.

Post #453
Posted 9/3/2010 11:30:04 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
There could be many reasons for this and we'll need more events to figure it out.

I can tell you are getting this event from a domain controller because they reapply group policy every 5 minutes and the 2 GPOs listed are the 2 applicable GPOs for domain controllers.

The 4717 is not causing this because domain controllers are not part of the Guest group and the RemoteInteractive logon is for Remote Desktop which isn't anything DCs need.

Are there any other 4717s around the same time though?

Do you have "Audit logon events" and "Audit account logon events" enabled for Failure?  If so are you getting any logon failures around the same time for that domain controller?

Are you getting this for all DCs or just one?

Are there warnings or errors in the application log at the same time, if so what is the error reason?  Access Denied?

Have you been messing around with Logon Rights or group policy object permissions?

What are the current permissions on those 2 GPOs?

Post #457
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:50pm