Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4098 Source: GroupPolicyLocalUsersandGroups

Level
Description
The computer 'Administrators (built-in)' preference item in the 'LocalAdminPolicy {77E77E2C-DD41-4BE8-BCA3-9D729ED51F98}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed.
Comments
 
1. Check there's no "Restricted Group Policy" applied on the computer
2. Use Update to preserve SID (i.e. Modifying built-in administrator)
3. The most important: Check "Apply once and do not reapply".

My guess is that when rebooting for the second time, GPO would try to "change again" the password to the same one. This behavior would hit with a Password history policy, avoiding reapply and showing a 4098 error.
From a Microsoft support engineer: "Please make sure that you don’t have any Group Policy “Restricted Groups” settings applied to your computers as they will override the group policy preferences settings. Please check it on your side.

Go to: Computer configuration > Windows Settings > Security Settings > Restricted group

If the issue persists, please let us know how you configure and apply the group policy in detail, such as the Action you choose, Replace or Update? Also, please provide us more information on the issue, such as which user or group can be removed and which ones could not be added?

You can check the following information for the differences on the Action:

Replace: Delete and recreate a local user with the matching name for the local computer. The net result of the Replace action overwrites all existing settings associated with the local user. If the local user does not exist, then the Replace action creates a new local user. Use caution when using the Replace action as the newly created user has a new SID.

Update: Rename a user or modify user settings. This action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the local user does not exist, then the Update action creates a new local user. The Update action does not change the SID of the user.

In addition, on problematic Windows 7 computer, run Command Prompt with administrator privilege, then run “gpresult/v > C:\policy.txt”

Please paste the results here for research.

For more information on how to use this GPP and examples on how to define the settings, please check the EV100373 (Best Practice: How to use Group Policy Preferences to Secure Local Administrator Groups).

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...