Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1202 Source: SceCli

Source
Level
Description
Security policies are propagated with warning. <error code>: <error description>. Please look for more details in TroubleShooting section in Security Help.
Comments
 
The error codes in the event description are given in hex format but the decimal value is given in order to facilitate the search for the error code.

Error code 0x5 (decimal 5) - Access is denied. This issue occurs because of the locked-down security that was originally set on the FRS through Group Policy. When you attempt to configure the FRS through Group Policy, the policy engine no longer has the permission to set security on the FRS and does not attempt to take ownership of the FRS. See ME284461 for resolution.

Error code 0xd (decimal 13) = "The data is invalid". This behavior occurs because three system environment variables (%SYSVOL%, %DSDIT%, and %DSLOG%) are referenced in the Basicdc.inf file, but exist only during the Dcpromo process. These error messages are generated each time the Default Domain Controllers policy is applied. See ME256000 for details.

Error code 0x3e5 (decimal 997) - "Overlapped I/O operation is in progress.". See ME295712 for a condition when this error code can occur (a 3rd party backup software may interfere with Active Directory operations).

Error code 0x534 (decimal 1332)- "No mapping between account names and security IDs was done.":
A program was installed, which creates user accounts and assigns rights to those user accounts. Later, the program was removed, the user accounts deleted, but the rights from policy before the accounts were still there. A user account is added and rights assigned to the account. The account is deleted, but not from security policies. The "0x534" code is the hex for "1332". Following the suggestions in ME324383 (see the link below) helps. Make sure you check the domain, domain controllers and local group policies.

Error code 0x4b8 (decimal 1208) - "An extended error occurred". See  ME260715 - A conflict in Group Policy can cause these events to occur. These error messages can occur if the "Rename Administrator Account" security policy is enabled and then set to an account name that is already in use. Also, as per ME285903, to resolve this behavior, remove all references to the Power Users group in the Local Security settings.
I had this error on an SBS 2003 server. Error 1202 - SceCli. We had power users group added to the GPU under two polices. After removing the power users group - the error was resolved. Follow the event log info to remove and find the offending user/group in the GPO.
We were seeing this on Citrix servers which had File System references to C:\. The C: doesn't exist on the Citrix servers.
Error code 0x4b8 (Error code 1208) - We received an error on every GPO update on the local machine (DC), and on every access on our DC. Using GPresult, we found out that the Default Domain Controller Policy was filtered out on our DC. After a short investigation, we noticed that for this policy,   it was set as "Computer Configuration Settings disabled". Reanabling this setting and after gpupdate /force on the DC, the errors were no longer showing up in eventlog.
Error code 0x4b8 (decimal 1208) - "An extended error occurred". The SceCli error kept happening every 4 to 5 minutes on our Server 2003 DC and made the PC seem like it was hanging for about 20 to 30 seconds each time the event occurred. The problem was not caused by renaming the administrator account or by a corrupted security database, but by an ATI graphics driver. In GPO, we enabled the "Devices: Unsigned driver installation behaviour properties" in Computer configuration, Windows settings, security settings, local policies, security options and set it to "warn but allow installation". This cured our problem.


We had used a temporary account for testing of policies. The account was deleted, apparently, without removing the account from policies. The event log blew up with the 1202 error every 5 minutes. Using the following command, we were able to determin the offending account. Additional instructions have been included.

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions:

1. Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDoe.

In this case, the SID for username "JohnDoe" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:
- Start -> Run -> RSoP.msc
- Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
- For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3. Remove unresolved accounts from Group Policy
- Start -> Run -> MMC.EXE
- From the File menu select "Add/Remove Snap-in..."
- From the "Add/Remove Snap-in" dialog box select "Add..."
- In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
- In the "Select Group Policy Object" dialog box click the "Browse" button.
- On the "Browse for a Group Policy Object" dialog box choose the "All" tab
- For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.
We had the following warning when GPO have been applied:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
I have discovered that servers had missing Grouo Policy Preferences CSE update, which is needeed  process the GPP side of our GPO.
The GPO is creating several special local groups and assigning special rights to them.
We solved this by either applying the GPP CSE update (KB943729) or by creating the local groups manually and forcing group policy update on computers.
Those having Czech, Slovak or Turkish installations, might experience a problem where:
- SceCli gives a warning in the application event log (error 0x428)
- The computer restarts after ESENT crashes

All relevant to ME320099 but also ME326955. The troubleshooting according Q32009 didn't help, because there were no error in the winlogon.log. The thing that helped was to rename the Scesrv.dll.mui to something else. No more errors for now.
- Error code 0x57 (Error code 87) = "The parameter is incorrect" - We had changed our domain policies to require 15 character passwords via modifying the adm file and the domain properties in adsiedit. When the computers processed this policy they failed out and stopped processing the rest of the policy. I changed the password requirement to 14 characters (max natively supported by windows) and the policies were able to be processed.
- Error code 0x4b8 = "An extended error has occurred" - See ME296854, ME827012, ME835744, ME835901, and ME837166.
- Error code 0x534 - See ME281454, ME329816, ME839115, ME890737, ME918451, and the link to "Windows XP Troubleshooting".
- Error code 0x2 - See the link to Error code 0x2 for details.
- Error code 0x5 = "Access is denied" - See ME310741 and ME319352.

- Error description: "No mapping between account names and security IDs was done" - See ME834519.

See the links to "Active Directory Operations Overview", WITP74571, and MSW2KDB for additional troubleshooting information.
- Error code 0xb - I also began experiencing this issue after replacing a failing hard drive using Norton Ghost. I followed the instructions to delete\rename the C:\WINDOWS\security\Database\secedit.sdb file. After running "gpupdate /force" the error went away.
It is possible that the ASP.NET account is defined in the Domain Policy but does not exist on the Local Computer. I installed the ASP.NET component and the warning ceased to occur.
As stated by Christian Jones’s post, I also went to the “C:\WINDOWS\security\Database” folder and renamed all the files in this folder to *.bak. Then, I manually ran "gpupdate /force" and the secedit.sdb file was recreated for me as well. However, I had to also had to give Domain Users FULL rights to the folder, as our users are only in Domain Users and Local Users on the PCs. After this, the policies updated normally.
- Error code 0x4b8 = "An extended error has occurred" - This error appeared on the GPO that renamed administrator ID or disabled "Guest" account. This issue appeared because %Windir%\security\Database\Secedit.sdb was corrupt. Check "esentutl /g %Windir%\security\Database\Secedit.sdb". It will say the database is either corrupt or out-of-date. Run "esentutl /p %Windir%\security\Database\Secedit.sdb" to repair or simply delete the %Windir%\security\Database\Secedit.sdb file. The database will be recreated on the reboot. Either choice will need a reboot.


See "Troubleshooting Active Directory Replication Problems" for information on this problem. In addition, here are a couple of links on how to enable and work with Winlogon.log: ME245422, "Interpreting Security Settings log files", and "Enable Logging for Security Settings".
Error code 0x5 = "Access is denied" - I received this error on a Windows XP client machine. I examined the C:\windows\security\logs\winlogon.log file and it showed this:

Configure machine\software\microsoft\driver signing\policy.
Warning 5: Access is denied.

Looking at the registry key HKLM\Software\Microsoft\Driver Signing on the client machine, I found that there was an explicit Deny permission set. You can find the permissions set by right-clicking “Driver Signing” -> Properties -> Advanced -> tab Permissions. This permission was not set on any other XP or 2000 client PCs. Removing the Deny permission, allowed the GPO to process the registry key successfully.
Error code 0x2 - This problem can occur on Citrix MetaFrame servers following the remapping of drive letters. This error will be accompanied by ESENT error events 454 and 439. This is for member servers only. In order to correct the problem, the files edb.chk, edb.log, res1.log, and res2.log located in the “%systemroot%\security” folder need to be renamed. You will also need to rename “%systemroot%\security\database\secedit.sdb”. Once this is completed, reboot the server, and the error should be gone.
- Error code 0x4b8 (Error code 1208) - In our case, we received this event at every 5 min GPO refresh cycle. To fix the problem, we just deleted the following files:
%SystemRoot%\Security\Edb.*
%SystemRoot%\Security\Res*.*
The files will recreate themselves the next time you go into the Local Security Policies.
On a RIS image of a Windows XP SP2 system in a Windows 2003 SP1 environment, I started receiving this warning, along with error 1000. A search came up with article ME296854, which suggested a bogus group was being referenced somewhere in the policies or on my system. This led me to article ME285903 to remove power users from the local policies.
Additionally, I had found following the recommended logging steps in article ME324383, that the local security database might have been corrupted. I attempted a repair using the “esentutl /r” command, and an event log was recorded when attempting to repair the file. As it turned out, the system was trying to use a security profile in the user's home directory, rather than the local security directory.
The result was that I followed the steps in article ME278316 to resolve the problem. This resolved the local security database corruption, where the security database was pointing to, and the errors and warning showing up in the event log during bootup or during a policy refresh with gpupdate.
- Error code 0x3e5 = "Overlapped I/O operation is in progress" - In one case, this occurred on a domain that was created by restoring an image of a domain controller and then promoting two other domain controllers with DCPROMO. It was found that AD replication was not working. It is believed that the original image may have contained Active Directory objects that were older than the tombstone lifetime interval or some other corruption. This was fixed by using DCPROMO to demote/promote one domain controller at a time and seizing the FSMO roles.
- Error code 0x57 (Error code 87) = "The parameter is incorrect" - In one case, this Event ID appeared on a computer running Windows 2003 SP1. It appeared after the D: drive became faulty and an attempt was made to reformat it from Computer management -> Disk Management. This attepmpt proceeded extremely slow taking several days to reach "5% formatted". Windows became unresponsive even though Windows Task Manager showed that there was CPU available. This was resolved by removing the D: drive until a replacement became available.
We were observing the event on a Windows XP workstation. In addition, the workstation would not honor all group policies (application of policies would fail at an unknown point). We followed ME324383 to no avail. Opening the Local Security Policy snap-in produced an error. We renamed the local security database (secedit.sdb to secedit.sdb.old), rebooted, and the problem seems to be resolved. The database in question is located in %WINNT%\Security\Database\.
Error code 1208 = “An extended error has occurred. Error creating database” – Even after disabling all GPO's for this server, the error was still occurring. I renamed "C:\WINDOWS\Security\Database\secedit.sdb", rebooted, and the error was gone.
- Error code 0x5 = "Access is denied" - I received this error on a Windows XP client machine. I examined the C:\windows\security\logs\winlogon.log file and it showed this:

Configure machine\software\microsoft\driver signing\policy.
Warning 5: Access is denied.

Looking at the registry key HKLM\Software\Microsoft\Driver Signing on the client machine, I found that there was an explicit Deny permission set. You can find the permissions set by right-clicking “Driver Signing” -> Properties -> Advanced -> tab Permissions. This permission was not set on any other XP or 2000 client PCs. Removing the Deny permission, allowed the GPO to process the registry key successfully.


The problem in our network was that there was no DomainMasterBrowser in our Domains and the computer browser service on our domain controller was disabled. Check the registry entry HKLM\System\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster and see if one of your DCs has the value "Yes". Only one server should have this value. Also start the computer browser service if it has been disabled.
Error code 0xd - "The data is invalid." - See ME250454 and ME259395.
- Error code 0x2 - This problem can occur on Citrix MetaFrame servers following the remapping of drive letters. This error will be accompanied by ESENT error events 454 and 439. This is for member servers only. In order to correct the problem, the files edb.chk, edb.log, res1.log, and res2.log located in the “%systemroot%\security” folder need to be renamed. You will also need to rename “%systemroot%\security\database\secedit.sdb”. Once this is completed, reboot the server, and the error should be gone.
Error code: 0x4b8 (Decimal 1208) = "An extended error has occurred." - I had problems with a service that started "too early" with respect to the Group Policies, which "were not in place". This reselected in some kind of conflict and Windows XP was "Applying computer settings" for a long time. I set the service to depend on NLA (Network Location Awareness) and the problem was solved.
Error code 0x4b8 - In our case, we had the error occurring at every 5 min GPO refresh cycle. We set up logging per ME324383. The problem turned out to be with Restricted Groups; it was attempting to remove a user ID whose Primary Group was set to that of the Restricted Group and so it failed and did not process the rest of that GPO. Changing the Primary Group back to the default of Domain Users immediately fixed the problem.
I fixed this problem by following the instruction posted on the www.tech-geeks.org website. See the link to "www.tech-geeks.org - W2K Server SceCli error 1202" for the instructions.
Error code 0xd - This can occur with any variable that is specified incorrectly in a “File System” policy. I found a customer that had specified “%system32%\system32\file.dll”. Obviously, “%system32%” is not a valid variable. Once I corrected the variable, the error ceased. Additionally, if the variable is incorrect, the policy will not complete processing and halt all of it from applying.
My problem was caused by invalid permissions on a registry key. I found out which key was causing the error by looking in the “winlogon.log” file, found in “c:\windows\security\logs”. I just changed the permissions to same as the parent key and the error went away.
Error code 0x2 - I have found this to be due to a disk space issue on the system partition. There was not enough free space on the system partition for ESENT, which needed about 200MB to write a “tmp.edb” file.


Error code 0x5 = Access is denied - If you remove permissions for the SYSTEM account from the root of the system drive (typically C:\), you will receive this error. Make sure that the SYSTEM account has Full Control permissions.
Error code 0x57 = "The parameter is incorrect." The invalid perameter in my case turned out to be a lack of security settings on services in the default domian policy. I had shut off messanger service and never defined security for it. Added everyone and all was better.
See ME324383 "Troubleshooting SCECLI 1202 Events" on how to approach this event.
Error code 0x5 = "Access is denied." - This error can occur if the file permissions on the C:\Winnt\sysvol\sysvol\<domainname>\policies tree do not include the Group Policy Creator Owners group. This group should have RWEM access to all files and folders within the tree.
Error code 0x57 - "The parameter is incorrect." This was caused in my case by resetting security on one service in "Computer configuration\Windows Settings\Security Settings\System Services" of one group policy. I looked through winlogon.log and found the error :

----Configure General Service Settings...
Configure Dhcp.
Error 87: The parameter is incorrect.
Error configuring Dhcp.

So I looked for dhcp service security settings in my GPOs and reset them.
ME256345 helped me to fix it. The scenario was that we were tightening down security and removing the everyone group from the root of the logical drives. When Group policy was originally setup some machine security settings (Specifically Sytem services) had been configured. By default the everyone group is used. By going back to that group policy, finding the system service that was configured, opening it up and changing the security setting to match our new root drive security settings, fixed the error.
This event can also happen if you rename the Administrator account.  To resolve the issue create an account named Administrator and disable it.
Error code 0xd - "The data is invalid.": There are two situations where I've experienced this problem:
1) Domain Controllers - 1202 and 1000 every 5 minutes - the problem is due to missing SYSVOL, DSDIT, and DSLOG environment variables and the fix is described in the Microsoft Knowledge Base (ME250454)
2) Workstations and member servers - 1202 and 1000 errors about every 2 hours. If you turn on the ExtensionDebugLevel (as described in Knowledge Base article ME245422) and look in winlogon.log, you see near the end that it fails on %DSDIT%. [..] Situation 2 can occur by unknowingly applying the basicdc.inf security template to the entire domain instead of to just the domain controllers. When this happens, there will be references in the applied domain security template to DSDIT, DSLOG, and SYSVOL, even thoough these and their directories only exist on domain controllers.  To get rid of the error in Situation 2, these references must be removed.  I find the easiest way to do this is the following:
Open up Domain Security Policy tool (or whatever topmost container holds the computers giving you the errors), right click on Security Settings, choose Import Policy, make sure you check the box that says "Clear this Database before importing" (otherwise the changes are just additions to the settings  that are already there), then choose "setup security.inf". This will get you back pretty close to default, losing any customizations you made (that weren't being applied anyway).
In about 5 minutes, all your domain controllers should pick up the change.  Your workstations and member servers will pick them up much later, unless you do a "secedit /refreshpolicy machine_policy /enforce" at a command prompt on each of these machines.
Error code 0x534 (1332 Decimal)- "No mapping between account names and security IDs was done.": A removal of IIS 5 from the server creates this error and EVent ID 1000 every 5 minutes as well. An install adds the iusr accounts to the security policy, but an uninstall does not remove them.


Error code 0x6fc (1788 Decimal) = "The trust relationship between the primary domain and the trusted domain failed." - See ME279432.
Error code 0x4b8 (1208 Decimal) = "An extended error has occurred.". See ME278316.
If you are getting event ID 1000 & 1202 every 5 minutes, then it also may be to do with IIS. If you have removed IIS & SMTP server then check that the DC has removed the IWAM & IUSR users from the security policy. Go into Domain Controller Security Policy, Security Settings, Local Policies, User rights Assignment & make sure that these users are taken out of any policies they are still in. Then run "secedit /refreshpolicy machine_policy /enforce" from the command prompt & your errors should disappear.
I have found that if there are any errors in the imported inf file to the GPO, you will recieve these errors (oxd).  Administrator used a local policy template that worked on other standalone servers and when imported to the Domain Controller, there we no error observed. But every 5-7 minutes we recieved the 1202 warning and 1000 error.  To resolve, either create a new template from scratch or review every line in the template for errors.  We rebuilt the template from scratch in about 20 minutes.  Now we recieve no errors.
ME257247 explains how to remove the security settings on a system service when a GPO is not processed. A group policy had been deployed that locked out the domain administrators group from modify a system service. GPO's would not be updated after this first one was applied. To allow for updating of the security of the system service all security had to be deleted and the system rebooted. On the reboot the new/updated GPO is applied with the correct security configuration.
This event can also be generated (in conjunction with event 1000) if you configure security settings on services in GPO. If you remove the full rights to the SYSTEM, the system is unable to apply the security settings. See WITP74885 for full details.
Error code 0x5 - "Access is denied." - This problem was due to security mistakenly too tight on IIS Admin Service (access denied to everyone) in GP which in turn prevented FTP service security from being updated (FTP service applet couldn't even be launched from the services window). Restoring admin access to IIS Admin Service allowed for update of FTP service security settings and solved the issue.
I was experiencing Events 1000 & 1202 every 90 minutes in a native-mode Win2k domain (turned out the only DC was upgraded from NT4.0) on all newly added Win2k Pro clients. Group policy was not being applied to any new machine. To resolve the problem, after auditing the group policy processing, I added the Group "Pre-Windows 2000 compatible Access" to each machine's local SAM.  Following the group addition, running secedit /refreshpolicy user_policy /enforce (or machine_policy) showed that group policy had now been applied successfully.
Error code 0x5 = "Access is denied." - This specific error means that when the policy was being applied to the system, the account in which the policy is being run as did not have permission to make a required change. You can review C:\Winnt\Security\Logs for exact details in Windows 2000, or C:\Windows\Security\Logs\winlogon.log in Windows XP.


Error code 0xd = "The data is invalid." - See ME250454 and ME259395.
Error code 0x534 (1332 Decimal)- "No mapping between account names and security IDs was done.": This was caused in my case by a security template applied locally (local security policy) that had the Power Users group used in the User Rights Assignment section on a Domain Controller. I just removed the 'Power Users' group (and any other group or user not in AD) from any policies that affect any DC and the errors go away after a secedit /refreshpolicy machine_policy /enforce command is issued.
Error code 0x5 - "Access denied". GPOs could not be distributed because in the security settings of several GPOs the user account "SYSTEM" did not have the right to take over the GPO. In addition, the service "distributed link tracking client" had to be configured to start automatically with full permissions for administrator group and user account "SYSTEM".
Error code 0x428 (Decimal 1064) = "An exception occurred in the service when handling the control request." I had this same situation (1000 and 1202 every 5 minutes). This was cleared up via MS article ME320099. There was one group that was causing the security policies to not apply. Enabling logging for Security Configuration Client Processing (ME245422) enabled me to find out which group was causing the problem.
Error code 0x428 (Decimal 1064) = "An exception occurred in the service when handling the control request." I had this same situation (1000 and 1202 every 5 minutes). This was cleared up via MS article ME320099. There was one group that was causing the security policies to not apply. Enabling logging for Security Configuration Client Processing (ME245422) enabled me to find out which group was causing the problem.
Erorr code 0xd =  "The data is invalid" - It can also happen if you apply security policy rule to file system resource and then delete it without deleting policy rule first. It happens both on domain controllers (witnin 5 minutes) and members (within 2 hours).
To resolve this issue delete appropriate security policy rule and refresh domain (machine) policy. If event 1202 and 1000 messages persist, load default domain security template.
Error code 0x4b8 = "An extended error has occurred." - This problem is caused by applying policies with defined restricted groups, i.e. the specified restricted group contains a local administrator account which doesn't exist on your local machine. Depending on your needs choose either to delete the entry of that account from the specified group in restricted groups or establish that account on the local machine. The important issue is a match of the accounts mentioned in restricted groups with those on the machine(s).

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...