Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1004 Source: SceCli

Policy change from LSA/SAM on DC can't be replicated to other DCs.  Error <error code> to save policy change in default GPO
Error code 4312: The object identifier does not represent a valid object.

Error code 1332: No mapping between account names and security IDs was done. Some users reported this error as starting after the installation of security hotfix ME296185 (Malformed Hit Highlighter in Windows 2000 Index Service. According to a Usenet posting: "We're having the same problem on 2 out of 3 member servers and a 4 hour call to Microsoft failed to correct it.  We believe the root of the problem is orphaned SIDs, but we cleaned up all those we could find in GPO, shares, file security, etc, but that still didn't fix the prblem.  Microsoft's last suggestion short of formatting and reinstalling was to take the domain down, create a new, bogus domain by a different name, take that domain down, then recreate the original domain.  The theory was that doing so would destroy all remanants of the original domain.  We're having the problem with both SP1 and SP2 systems, though the SP1 box has all the security patches applied. I've seen a suggestion that if the computer is multi-homed and print and file services is not bound to all NICs that may cause a problem as well. Another suggestion is that SMS unistallation causes orpaned SIDs."

From another post: "Demoted all but one controller, removed ntfrs.db from both after stopping ntfrs on both.  Removed the same from the remaining dc after stopping the ntfrs service.  it moved scripts and policies out automatically and I then moved the originals back in the the main domain folder and started the service again. waited... all appeared ok (as it should because it wasn't replicating to anyone). Then promted a member server.  Waited patiently and eventually the
replication started after a few trys and now all is well again."

Error code 1332: From a newsgroup post: "You most likely have a local policy on that DC that has a non-resolving SID. Start MMC and open up Group Policy, Local Machine, and search that for any SID that doesn't resolve to a name."
Reset the Default Domain Group Policy as per ME226243.
You might want to clean up DNS. It seems by removing the old records for the corresponding IP server addresses solves the problem. Worked for me.
Error code 3: "The system cannot find the path specified." I resolved this event by following ME253268. The "Domain Controller Security Policy" was the problem.
This problem is caused by removing an application like SMS, as some accounts which get removed remain in your default Domain controllers policy. To fix it follow ME234237, as simply checking the Policies for SIDs, is not always sufficient as these accounts may stall appear by name.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.