Security policies are propagated with the following warning: 0x534 : No mapping between account names and security IDs was done.
Cause: This is usually caused because the security policy grants rights to user or group accounts which no longer exist.
Solution: Find out which accounts are invalid.
Open Notepad and open the file at %systemroot%\security\logs\winlogon.log. Windows XP creates this file by default during policy propagation.
Search for error 1332. This indicates the account names that could not be resolved.
Remove the unresolved account names from policies in your domain.
If the accounts are in the Default Domain or Domain Controller Group Policy objects, you can edit the policies in the Security Settings node of Group Policy to remove these account names. If the accounts exist elsewhere, you may have to browse through all Group Policy objects that are defined in the domain and remove them individually.