Discussion:
Warnings when backing up Group Policy Objects?
(too old to reply)
Tom Walker
2005-11-01 14:04:07 UTC
Permalink
Doing this prior to applying SP1 for SBS 2003 and get a couple of warnings:

GPO: Default Domain Controllers Policy...Succeeded, but note the following
issues:

[Warning] The security principal
[S-1-5-21-1500072863-2123835711-316617838-1065] referenced in extension
[Security] cannot be resolved, but the task will continue. In the future,
you can use a migration table to map or remove this security principal.
Details: No mapping between account names and security IDs was done.

[Warning] The security principal
[S-1-5-21-1500072863-2123835711-316617838-1062] referenced in extension
[Security] cannot be resolved, but the task will continue. In the future,
you can use a migration table to map or remove this security principal.
Details: No mapping between account names and security IDs was done.

Browsing through the Default Domain Controllers Policy, I found:

Log on as a batch job
AZNETWORK\IIS_WPG, AZNETWORK\IWAM_AZSERVER, NT AUTHORITY\LOCAL SERVICE,
AZNETWORK\SQLExecutiveCmdExec,
S-1-5-21-1500072863-2123835711-316617838-1062,
S-1-5-21-1500072863-2123835711-316617838-1065, AZNETWORK\SUPPORT_388945a0,
AZNETWORK\Administrator, AZNETWORK\IUSR_AZSERVER

How do I establish what's causing the warnings and stop them?

Tom Walker
Mark Heitbrink [MVP]
2005-11-01 14:33:56 UTC
Permalink
Post by Tom Walker
[Warning] The security principal
[S-1-5-21-1500072863-2123835711-316617838-1065] referenced in extension
[Security] cannot be resolved, [...]
This and the -1062 are deleted Accounts, that are no longer valid
and thats why the error apears, because it can´t be resolved.
But they are still mentioned in your security settings.
Post by Tom Walker
Log on as a batch job [...]
Remove the two Accounts with the SID.
I think it was a special account you create just doing this task.
After changing the taks or perhaps deleting the task you also
deleted the account, but you didn´t change the policy.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: ***@Homepage, Versende-Adresse wird nicht abgerufen.
Tom Walker
2005-11-02 11:36:08 UTC
Permalink
Thanks, Mark. That fixed it.
Post by Mark Heitbrink [MVP]
Post by Tom Walker
[Warning] The security principal
[S-1-5-21-1500072863-2123835711-316617838-1065] referenced in extension
[Security] cannot be resolved, [...]
This and the -1062 are deleted Accounts, that are no longer valid
and thats why the error apears, because it canŽt be resolved.
But they are still mentioned in your security settings.
Post by Tom Walker
Log on as a batch job [...]
Remove the two Accounts with the SID.
I think it was a special account you create just doing this task.
After changing the taks or perhaps deleting the task you also
deleted the account, but you didnŽt change the policy.
Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
Loading...