Securing Data Troubleshooting

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Securing Data Troubleshooting

What problem are you having?

  • The security database is corrupted.

  • Security policy is not propagating correctly.

  • Security policies are propagated with the following warning: 0x534 : No mapping between account names and security IDs was done.

  • You receive the following error message: The system cannot log you on now because the domain <DOMAIN_NAME> is not available.

The security database is corrupted.

Cause:  Improperly shutting down the computer or a software error.

Solution:  At a command prompt, run esentutl /g to check the integrity of the security database at %windir%\Security\Database\Secedit.sdb.

If the database is corrupt:

  1. Attempt to recover it by typing esentutl /r at a command prompt on the %windir%\Security folder. If this fails, attempt to repair it by typing esentutl /p at a command prompt on %windir%\Security\Database\Secedit.sdb.

  2. After that, delete the log files in %windir%\Security.

Security policy is not propagating correctly.

Cause:  Multiple.

Solution:  Use Resultant Set of Policy to check what Group Policy object is affecting your computer.

Check the log file. The log file is located in %systemroot%\Security\Logs\Winlogon.log. You can examine this log file to identify specific errors that occur during policy propagation to the computer.

Security policies are propagated with the following warning: 0x534 : No mapping between account names and security IDs was done.

Cause:  This is usually caused because the security policy grants rights to user or group accounts which no longer exist.

Solution:  Find out which accounts are invalid.

  1. Open Notepad and open the file at %systemroot%\security\logs\winlogon.log. Members of the Windows Server 2003 family and computers running Windows XP create this file by default during policy propagation.

  2. Search for error 1332. This indicates the account names that could not be resolved.

  3. Remove the unresolved account names from policies in your domain.

If the accounts are in the Default Domain or Domain Controller Group Policy objects, you can edit the policies in the Security Settings node of Group Policy to remove these account names. If the accounts exist elsewhere, you may have to browse through all Group Policy objects that are defined in the domain and remove them individually.

You receive the following error message: The system cannot log you on now because the domain <DOMAIN_NAME> is not available.

Cause:  The domain controller is unavailable and a user's logon information is not being cached. The Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy is set to 0.

Solution:  Edit the security policy.

See also:  Interactive logon: Number of previous logons to cache (in case domain controller is not available)