Troubleshooting

What problem are you having?

The security database is corrupted.

Cause: A hardware problem if the computer is improperly shut down or a software error.

Run esentutl /g to check the integrity of the security database at %windir%\Security\Database\Secedit.sdb.

If the database is corrupt:

1.	Attempt to recover it by running esentutl /r on the %windir%\Security folder. If this fails, attempt to repair it by running with esentutl /p on %windir%\Security\Database\Secedit.sdb.
2.	After that, delete the log files in %windir%\Security.

Security policy is not propagating correctly.

Cause: Any.

Solution: Use Resultant Set of Policy to check what Group Policy object is affecting your computer.

Check the log file. The log file is located in systemroot\Security\Logs\Winlogon.log. You can examine this log file to identify specific errors that occur during policy propagation to the computer.

Security policies are propagated with the following warning: 0x534 : No mapping between account names and security IDs was done.

Cause: This is usually caused because the security policy grants rights to user or group accounts which no longer exist.

Solution: Find out which accounts are invalid.

1.	Open Notepad and open the file at %systemroot%\security\logs\winlogon.log. Windows XP creates this file by default during policy propagation.
2.	Search for error 1332. This indicates the account names that could not be resolved.
3.	Remove the unresolved account names from policies in your domain.

If the accounts are in the Default Domain or Domain Controller Group Policy objects, you can edit the policies in the Security Settings node of Group Policy to remove these account names. If the accounts exist elsewhere, you may have to browse through all Group Policy objects that are defined in the domain and remove them individually.

Top of page