Troubleshoot SCECLI 1202 events - Windows Server (2023)

  • Article

This article describes how to troubleshoot and resolve SCECLI 1202 events.

Refers to:Windows Server 2012 R2
Original KB number:324383

Summary

The first step in troubleshooting these events is to identify the Win32 error code. This error code distinguishes the type of error that causes the SCECLI 1202 event. The following is an example of the SCECLI 1202 event. The error code is displayed in the fieldDescription. In this example, the error code is 0x534. The text after the error code is a description of the error. Once you've determined the error code, find that section of the error code in this article, and then follow the troubleshooting steps in that section.

0x534: No mapping between account names and security IDs.

the

0x6fc: Trust relationship between primary domain and trusted domain failed.

Error Code 0x534: No mapping between account names and security IDs

These error codes mean that the security account could not be resolved to a security identifier (SID). The error usually occurs because the account name was typed incorrectly or the account was deleted after it was added to the security policy setting. This is usually done in a sectionUser rightsor in the sectionRestricted groupssecurity policy settings. This can also happen if the account exists in a trust relationship and then the trust relationship is broken.

To resolve this issue, follow these steps:

  1. Determine the account that is causing the crash. To do this, enable debug logging for the Security Configuration client-side extension:

    1. Launch Registry Editor.

    2. Locate and select the following registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

    3. W menuEditselect an itemAdd value, and then add the following registry value:

      • Value name: ExtensionDebugLevel
      • Value type: DWORD
      • Value data: 2

    4. Close Registry Editor.

  2. Refresh the policy settings to reproduce the error. To refresh the policy settings, type the following at a command prompt, and then press ENTER:

    retire /refreshpolicy machine_policy /enforce

    This command creates a file namedWinlogon.login the folder%SYSTEMROOT%\Security\Logs.

  3. Find the problem account. To do this, type the following command at the command prompt, and then press ENTER:

    find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log

    The search output identifies the problem account names, for exampleThe MichaelPeltier application could not be found. In this example, the MichaelPeltier user account does not exist in the domain. Or it has a different spelling, such as MichellePeltier.

    Determine why this account cannot be recognized. For example, look for typographical errors, a deleted account, an invalid policy that applies to this computer, or a trust issue.

  4. If you determine that the account needs to be removed from the policy, find the problem policy and problem setting. To determine which setting contains the unresolved account, type the following command at a command prompt on the computer that generates the SCECLI 1202 event, and then press ENTER:

    c:\>find /i "account name" %SYSTEMROOT%\security\templates\policies\gpt*.*

    In this example, the syntax and results are:

    c:\>find /i "MichaelPeltier" %SYSTEMROOT%\security\templates\policies\gpt*.*---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INFSeInteractiveLogonRight = TsInternetUser,*S-1-5-32-549,*S-1-5-32-550,MichaelPeltier,*S-1-5-32-551,*S-1-5-32-544,*S-1-5-32-548---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM

    Identifies gpt00002.inf as a cached security template from a Group Policy Object (GPO) issue that contains the issue setting. It also identifies the problem setting as SeInteractiveLogonRight. The display name of the SeInteractiveLogonRight object isLogin locally.

    For a map of constants (for example, SeInteractiveLogonRight) to their display names (for example, logging on locally), see the Microsoft Windows 2000 Server Resource Kit, Distributed Systems Guide. The map is in the sectionUser rightsappendix.

  5. Determine which GPO contains the problem setting. Search the cache for the security template identified in step 4 textGPOPath=. In this example you will see:

    GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE

    {6AC1786C-016F-11D2-945F-00C04FB984F9} is the GPO GUID.

  6. To find the GPO friendly name, use the Gpotool.exe Resource Kit tool. Type the following at the command prompt, and then press ENTER:

    gpotool /verbose

    Search for the output of the GUID identified in step 5. The four lines that match the GUID contain the friendly name of the policy. Example:

    Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}Policy OKDetails:------------------------------------------------------------DC: domcntlr1.wingtiptoys.comFriendly name: Default Domain Controllers Policy

The problem account, problem setting, and problem GPO have now been identified. To resolve this problem, delete or replace the problem entry.

Error code 0x2: The system cannot find the file specified

This error is similar to 0x534 and 0x6fc. This is due to an unresolvable account name. When a 0x2 error occurs, it typically indicates that an unresolvable account name is specified in the Restricted Groups policy setting.

To resolve this issue, follow these steps:

  1. Determine which service or object is failing. To do this, enable debug logging for the Security Configuration client-side extension:

    1. Launch Registry Editor.

    2. Locate and select the following registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

    3. W menuEditselect an itemAdd value, and then add the following registry value:

      • Value name: ExtensionDebugLevel
      • Value type: DWORD
      • Value data: 2

    4. Close Registry Editor.

  2. Refresh the policy settings to reproduce the error. To refresh the policy settings, type the following at a command prompt, and then press ENTER:

    retire /refreshpolicy machine_policy /enforce

    This command creates a file namedWinlogon.login the folder%SYSTEMROOT%\Security\Logs.

  3. At the command prompt, type the following command, and then press ENTER:

    find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log

    The search output identifies the problem account names, for exampleThe MichaelPeltier application could not be found. In this example, the MichaelPeltier user account does not exist in the domain. Or it has a different spelling - for example, MichellePeltier.

    Determine why this account cannot be recognized. For example, look for typographical errors, a deleted account, an incorrect policy applied to this computer, or a trust issue.

  4. If you determine that the account needs to be removed from the policy, find the problem policy and problem setting. To find what setting the unresolved account contains, type the following command at a command prompt on the computer that generates the SCECLI 1202 event, and then press ENTER:

    c:\>find /i "account name" %SYSTEMROOT%\security\templates\policies\gpt*.*

    In this example, the syntax and results are:

    c:\>find /i "MichaelPeltier" %SYSTEMROOT%\security\templates\policies\gpt*.*---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INFSeInteractiveLogonRight = TsInternetUser,*S-1-5-32-549,*S-1-5-32-550,JohnDough,*S-1-5-32-551,*S-1-5-32-544,*S-1-5-32-548---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM

    Identifies gpt00002.inf as a cached security template from the problem GPO that contains the problem setting. It also identifies the problem setting as SeInteractiveLogonRight. The display name of the SeInteractiveLogonRight object isLogin locally.

    For a map of constants (for example, SeInteractiveLogonRight) to their display names (for example, logging on locally), see the Windows 2000 Server Resource Kit, Distributed Systems Guide. The map is in the sectionUser rightsappendix.

  5. Determine which GPO contains the problem setting. Search the cache for the security template identified in step 4 textGPOPath=. In this example you will see:

    GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE

    {6AC1786C-016F-11D2-945F-00C04FB984F9} is the GPO GUID.

  6. To find the GPO friendly name, use the Gpotool.exe Resource Kit tool. Type the following at the command prompt, and then press ENTER:

    gpotool /verbose

    Search for the output of the GUID identified in step 5. The four lines that match the GUID contain the friendly name of the policy. Example:

    Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}Policy OKDetails:------------------------------------------------------------DC: domcntlr1.wingtiptoys.comFriendly name: Default Domain Controllers Policy

The problem account, problem setting, and problem GPO have now been identified. To resolve this issue, search the Restricted Groups section of the security policy for the instance of the problem account (MichaelPeltier in this example), and then remove or replace the problem entry.

Error Code 0x5: Access Denied

This error usually occurs when the system has not been given the appropriate permissions to update the service's access control list. This can happen if the administrator defines permissions for the service in the policy but does not grant Full System Account Control permission.

To resolve this issue, follow these steps:

  1. Determine which service or object is failing. To do this, enable debug logging for the Security Configuration client-side extension:

    1. Launch Registry Editor.

    2. Locate and select the following registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

    3. W menuEditselect an itemAdd value, and then add the following registry value:

      • Value name: ExtensionDebugLevel
      • Value type: DWORD
      • Value data: 2

    4. Close Registry Editor.

  2. Refresh the policy settings to reproduce the error. To refresh the policy settings, type the following at a command prompt, and then press ENTER:

    retire /refreshpolicy machine_policy /enforce

    This command creates a file namedWinlogon.login the folder%SYSTEMROOT%\Security\Logs.

  3. At the command prompt, type the following command, and then press ENTER:

    find /i "error opening" %SYSTEMROOT%\security\logs\winlogon.log

    The Find output identifies a service with misconfigured permissions, for exampleError opening DNScache.Dnscacheis the short name of the DNS client service.

  4. Find out which policy or policies are trying to modify the service's permissions. To do this, type the following command at the command prompt, and then press ENTER:

    find /i "service" %SYSTEMROOT%\security\templates\policies\gpt*.*".

    Below is an example command and its output:

    d:\>find /i "dnscache" %windir%\security\templates\policies\gpt*.*---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00000.DOM-- -------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00001.INF---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00002.INFDnscache,3," D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)"---------- D:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT00003.DOM

  5. Determine which GPO contains the problem setting. Search the cache for the security template identified in step 4 textGPOPath=. In this example you will see:

    GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE

    {6AC1786C-016F-11D2-945F-00C04FB984F9} is the GPO GUID.

  6. To find the GPO friendly name, use the Gpotool.exe Resource Kit tool. Type the following at the command prompt, and then press ENTER:

    gpotool /verbose

    Search for the output of the GUID identified in step 5. The four lines that match the GUID contain the friendly name of the policy. Example:

    Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}Policy OKDetails:------------------------------------------------------------DC: domcntlr1.wingtiptoys.comFriendly name: Default Domain Controllers Policy

A service with misconfigured permissions and a problem GPO has now been identified. To resolve this issue, search the System Services section of the security policy for an instance of the service with misconfigured permissions. Then perform a corrective action to grant the service Full System Account Control permissions.

Error code 0x4b8: An extended error has occurred

Error 0x4b8 is generic and can be caused by many different issues. To troubleshoot these errors, follow these steps:

  1. Enable debug logging for the Security Configuration client-side extension:

    1. Launch Registry Editor.

    2. Locate and select the following registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

    3. W menuEditselect an itemAdd value, and then add the following registry value:

      • Value name: ExtensionDebugLevel
      • Value type: DWORD
      • Value data: 2

    4. Close Registry Editor.

  2. Refresh the policy settings to reproduce the error. To refresh the policy settings, type the following at a command prompt, and then press ENTER:

    retire /refreshpolicy machine_policy /enforce

    This command creates a file named Winlogon.log in a folder%SYSTEMROOT%\Security\Logs.

  3. LookESENT event IDs 1000, 1202, 412 and 454 are logged multiple times in the application log. This article describes known issues that cause error 0x4b8.

Collecting data

If you need help from Microsoft Support, we recommend that you gather your information by following the steps listed inSee Collecting Information Using TSS for Problem Group Policy.

FAQs

What is error code 1202 on event viewer? ›

This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions: The WINLOGON.

Get More Info
What is error code 1202 on Scecli? ›

The error typically occurs either because an account name was mistyped, or because the account was deleted after it was added to the security policy setting. It typically occurs in the User Rights section or the Restricted Groups section of the security policy setting.

Get More Info Here
What is error code 1202 in SQL? ›

Common Causes of Error 1202

Mismatched table schema and data file: The most common cause of this error is a mismatch between the schema of the target table and the structure of the data file being loaded. If the data file contains more columns than the target table, Redshift will throw Error 1202.

Get More Info
What is event ID 1202 ADFS? ›

Event ID 1202: Fresh Credential Validation Success.

This event is logged for a request where fresh credentials are validated successfully by the Federation Service. This includes WS-Trust, WS-Federation, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.

Find Out More
How do I get rid of event viewer errors? ›

How to clear the event log
  1. Open Event Viewer and select the Windows log you wish to clear.
  2. Right-click on the log and select Clear Log.
  3. Select Save and Clear.
  4. Browse to a folder where you want to save the log file to and click Save.

Keep Reading
How do I fix event viewer? ›

However, if you are unable to use Event Viewer because it's not working or opening on Windows, here are some troubleshooting tips you need to try.
  1. Restart Windows Event Log Service.
  2. Run SFC and DISM Scans.
  3. Run the Check Disk Utility.
  4. Run Windows Memory Diagnostic Tool.
  5. Try Clean Boot.
  6. Create New User Account.
  7. Update Windows.
Oct 26, 2022

See Details
How do I fix SQLCODE error? ›

Verify that the object name was correctly specified in the SQL statement, including any required qualifiers. If it is correct, ensure that the object exists in the system before resubmitting the statement. FETCH fetch-orientation IS NOT ALLOWED, BECAUSE CURSOR cursor-name HAS AN UNKNOWN POSITION (sqlcode,sqlstate).

Show Me More
How do I fix SQL logic error? ›

To resolve the issue:
  1. Stop the Deep Security Agent service.
  2. Reset the agent, and then delete all Log Inspection components.
  3. Restart and activate the agent. ...
  4. Check if the events are being delivered to the Deep Security Manager to confirm if the local Log Inspection database is working fine.

Explore More
Why am I getting an SQL error? ›

"SQL Server does not exist or access denied"

This error usually means that the client can't find the SQL Server instance. This issue occurs when at least one of the following problems exists: The name of the computer hosting SQL Server is incorrect. The instance doesn't resolve the correct IP.

See More
How do I fix event ID 1202? ›

This event is logged when DNS server encountered an unsupported 'directory' directive in the server boot file at line. To correct the configuration file, use a text editor (such as Notepad) to open the indicated file, which is located in %SystemRoot%\System32\Dns.

Read The Full Story

How do I debug Windows Event Viewer? ›

Here's how to enable and view analytic and debug logs:
  1. In the Actions pane of Event Viewer, select View, and then select Show Analytic and Debug Logs.
  2. Navigate to Applications and Services Logs, then Microsoft, then Windows, then User Profile Service, and then Diagnostic.
  3. Select Enable Log and then select Yes.
Dec 23, 2021

Know More
How do I enable LDAP signing? ›

Select Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies, and then select Security Options. In the Network security: LDAP client signing requirements Properties dialog box, select Require signing in the list, and then select OK.

View Details
What is Event Viewer failure code 0x12? ›

Common error codes include: 0x18: This error code indicates an account lockout. 0x6: The user's password has expired. 0x12: The user's account is no longer active.

Know More
What is error code 1202 in IOS? ›

Error loading page Domain: NSURLErrorDomain Error Code: -1202 Description: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “XX. X.X. XX” which could put your confidential information at risk.

Read The Full Story
What does error mean in Event Viewer? ›

Event Viewer displays these types of events: Error: A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an error will be logged. Warning: An event that is not necessarily significant, but may indicate a possible future problem.

Continue Reading
What is the event viewer logon failure code? ›

Event ID 4625 (viewed in Windows Event Viewer) documents every failed attempt at logging on to a local computer. This event is generated on the computer from where the logon attempt was made. A related event, Event ID 4624 documents successful logons.

Read More

References

Top Articles
Latest Posts
Article information

Author: Pres. Lawanda Wiegand

Last Updated: 01/23/2024

Views: 6087

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Pres. Lawanda Wiegand

Birthday: 1993-01-10

Address: Suite 391 6963 Ullrich Shore, Bellefort, WI 01350-7893

Phone: +6806610432415

Job: Dynamic Manufacturing Assistant

Hobby: amateur radio, Taekwondo, Wood carving, Parkour, Skateboarding, Running, Rafting

Introduction: My name is Pres. Lawanda Wiegand, I am a inquisitive, helpful, glamorous, cheerful, open, clever, innocent person who loves writing and wants to share my knowledge and understanding with you.