Problem deleting an unknown object in a group

Tutorials Win: Microsoft Windows Forum

Hi,

We have a problem with our A.D.
We have 9 DC in 8 different sites. All DC are W2K3 Std R2 SP2 with all
hotfixes.
Domain functionnal level is Windows Server 2003.

We have a GPO that use Restricted Groups to set members of the Built-In
Administrators group. We have an event in Application Event Log on all DC.
SceCLI event #1202 : "Security policies were propagated with warning. 0x4b8 :
An extended error has occurred."

I've enabled debug logging for the Security Configuration client-side
extension and I have found this error in Winlogon.log :
remove SID: S-1-5-21-1047738115-132384186-1539857752-500.
Error 1377: The specified account name is not a member of the local group.
error removing SID: S-1-5-21-1047738115-132384186-1539857752-500.

This SID is an object from a trusted domain. The trust has been deleted and
we forgot to remove it from the GPO before deleting the trust.

When I go directly to the Administrators group and I try to delete the
member manually, I receive this warning after clicking on Apply :
The object is no longer a member of this group. It may still appear due to
standard delays in replication between domain controllers.

I've done this yesterday and I have this message again this morning, so I
know it is not a replication delay.

In the ForeignSecurityPrincipals container, I can see the object. Ca I
delete the object directly in this place ? Will this result in removing the
object from the Administrators group ? Can this cause other issue ? If yes,
what should I do to remove the object from the Administrators group ?

Thank you very much,
Dominic
Top

Re: Problem deleting an unknown object in a group by Meinolf

Meinolf
Fri May 02 14:38:50 PDT 2008

Hello Dominic,

Can you see the SID in the administrators group which you are using with
restricted groups?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> We have a problem with our A.D.
> We have 9 DC in 8 different sites. All DC are W2K3 Std R2 SP2 with
> all
> hotfixes.
> Domain functionnal level is Windows Server 2003.
> We have a GPO that use Restricted Groups to set members of the
> Built-In Administrators group. We have an event in Application Event
> Log on all DC. SceCLI event #1202 : "Security policies were
> propagated with warning. 0x4b8 : An extended error has occurred."
>
> I've enabled debug logging for the Security Configuration client-side
> extension and I have found this error in Winlogon.log :
> remove SID: S-1-5-21-1047738115-132384186-1539857752-500.
> Error 1377: The specified account name is not a member of the local
> group.
> error removing SID: S-1-5-21-1047738115-132384186-1539857752-500.
> This SID is an object from a trusted domain. The trust has been
> deleted and we forgot to remove it from the GPO before deleting the
> trust.
>
> When I go directly to the Administrators group and I try to delete the
> member manually, I receive this warning after clicking on Apply :
> The object is no longer a member of this group. It may still appear
> due to
> standard delays in replication between domain controllers.
> I've done this yesterday and I have this message again this morning,
> so I know it is not a replication delay.
>
> In the ForeignSecurityPrincipals container, I can see the object. Ca
> I delete the object directly in this place ? Will this result in
> removing the object from the Administrators group ? Can this cause
> other issue ? If yes, what should I do to remove the object from the
> Administrators group ?
>
> Thank you very much,
> Domini


Top

Re: Problem deleting an unknown object in a group by Dominic

Dominic
Mon May 05 04:51:01 PDT 2008

Hi Meinolf,

Yes, I can see the SID.
Here's what I can see int he Members tab, and in the
ForeignSecurityPrincipals container :
[SID]CNF:[GUID]

Thanks,
Dominic


"Meinolf Weber" wrote:

> Hello Dominic,
>
> Can you see the SID in the administrators group which you are using with
> restricted groups?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi,
> >
> > We have a problem with our A.D.
> > We have 9 DC in 8 different sites. All DC are W2K3 Std R2 SP2 with
> > all
> > hotfixes.
> > Domain functionnal level is Windows Server 2003.
> > We have a GPO that use Restricted Groups to set members of the
> > Built-In Administrators group. We have an event in Application Event
> > Log on all DC. SceCLI event #1202 : "Security policies were
> > propagated with warning. 0x4b8 : An extended error has occurred."
> >
> > I've enabled debug logging for the Security Configuration client-side
> > extension and I have found this error in Winlogon.log :
> > remove SID: S-1-5-21-1047738115-132384186-1539857752-500.
> > Error 1377: The specified account name is not a member of the local
> > group.
> > error removing SID: S-1-5-21-1047738115-132384186-1539857752-500.
> > This SID is an object from a trusted domain. The trust has been
> > deleted and we forgot to remove it from the GPO before deleting the
> > trust.
> >
> > When I go directly to the Administrators group and I try to delete the
> > member manually, I receive this warning after clicking on Apply :
> > The object is no longer a member of this group. It may still appear
> > due to
> > standard delays in replication between domain controllers.
> > I've done this yesterday and I have this message again this morning,
> > so I know it is not a replication delay.
> >
> > In the ForeignSecurityPrincipals container, I can see the object. Ca
> > I delete the object directly in this place ? Will this result in
> > removing the object from the Administrators group ? Can this cause
> > other issue ? If yes, what should I do to remove the object from the
> > Administrators group ?
> >
> > Thank you very much,
> > Dominic
>
>
>
Top

Re: Problem deleting an unknown object in a group by Dominic

Dominic
Mon May 05 11:01:00 PDT 2008

I have confirmed that the SID is from the old domain (which no longer exists)
and since the trust has been also deleted, I have deleted the object in the
ForeignSecurityPrincipals container.

The error 0x4b8 is no longer displayed the Application Event log on our DCs.

Thanks,
Dominic

"Dominic" wrote:

> Hi Meinolf,
>
> Yes, I can see the SID.
> Here's what I can see int he Members tab, and in the
> ForeignSecurityPrincipals container :
> [SID]CNF:[GUID]
>
> Thanks,
> Dominic
>
>
> "Meinolf Weber" wrote:
>
> > Hello Dominic,
> >
> > Can you see the SID in the administrators group which you are using with
> > restricted groups?
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> > > Hi,
> > >
> > > We have a problem with our A.D.
> > > We have 9 DC in 8 different sites. All DC are W2K3 Std R2 SP2 with
> > > all
> > > hotfixes.
> > > Domain functionnal level is Windows Server 2003.
> > > We have a GPO that use Restricted Groups to set members of the
> > > Built-In Administrators group. We have an event in Application Event
> > > Log on all DC. SceCLI event #1202 : "Security policies were
> > > propagated with warning. 0x4b8 : An extended error has occurred."
> > >
> > > I've enabled debug logging for the Security Configuration client-side
> > > extension and I have found this error in Winlogon.log :
> > > remove SID: S-1-5-21-1047738115-132384186-1539857752-500.
> > > Error 1377: The specified account name is not a member of the local
> > > group.
> > > error removing SID: S-1-5-21-1047738115-132384186-1539857752-500.
> > > This SID is an object from a trusted domain. The trust has been
> > > deleted and we forgot to remove it from the GPO before deleting the
> > > trust.
> > >
> > > When I go directly to the Administrators group and I try to delete the
> > > member manually, I receive this warning after clicking on Apply :
> > > The object is no longer a member of this group. It may still appear
> > > due to
> > > standard delays in replication between domain controllers.
> > > I've done this yesterday and I have this message again this morning,
> > > so I know it is not a replication delay.
> > >
> > > In the ForeignSecurityPrincipals container, I can see the object. Ca
> > > I delete the object directly in this place ? Will this result in
> > > removing the object from the Administrators group ? Can this cause
> > > other issue ? If yes, what should I do to remove the object from the
> > > Administrators group ?
> > >
> > > Thank you very much,
> > > Dominic
> >
> >
> >
Top