Our backup Domain Controller has been reporting an unusual message in the event log recently, Warning Event ID 1202 on Source SceCli with the message “Security policies were propagated with warning. 0×534 : No mapping between account names and security IDs was done.”

A number of possible remedies are included for this error but the first one pointed to the problem in our instance – a rogue user IIS account:

From the command prompt, type:

find /I "Cannot find" %SYSTEMROOT%SecurityLogswinlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Then, running rsop.msc from the run window indicated where the accounts were appearing – in our case the Domain Controller Security Policy – the rogue account was appearing in three areas including “Log on as a Batch Job” – these areas were indicated by a red cross. The account was from a previously decommissioned Domain Controller and removing it from these areas cleared the problem.

Once the problem was cleared the Event Log reported an Information Event ID: 1704 on Source: SceCli reporting “Security policy in the Group policy objects has been applied successfully.”