I have domain controller on Windows Server 2008 R2 Enterprise Edition. This DC hosts Aactive Directory Certificates Services and OCSP responder. Since several time ago I receivemessage in Application event log each time when GP is applied to computer or user: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.<here is a lot of text as provided here: http://support.microsoft.com/kb/324383>I found problem accounts:Cannot find OCSPISAPIAppPool.Cannot find DefaultAppPool.Cannot find WdiServiceHost.to these accountsare assigned some rights and priveleges in Default Domain Controllers Policy. Can I safely remove these accounts from this GPO?Thanks! [http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi, Thanks for your post. As far as I know, installing the OCSP role will not create those accounts in the domain. In fact, OCSPISAPIAppPool and DefaultAppPool are the Application Pools in IIS, and WdiServiceHost is the service name of Diagnostic Service Host service. Please confirm if you ever created those user accounts and configured the Application Pools and service run as custom account. Do the user accounts exist in the domain? To check the settings of the Application Pool, please follow these steps: 1. Open IIS console, expand the ComputerName. 2. Select Application Pools, and check the identity of the DefaultAppPool and DefaultAppPool in the middle pane. By default, they are configured to run as built-in account, ApplicationPoolIdentity. To check the setting of the WdiServiceHost service: 1. Open Services console, double-click the Diagnostic Service Host service in the right pane. 2. Select Log On tab and check user account that the service used to logon. By default, it logs on as Local Service account. If all are using the default settings, please collect the following information on the server for further research: 1. The Winlogon.log. 2. The settings of the Default Domain Controller Policy:Open GPMC console, right-click Default Domain Controller Policy, and select Save Report. 3. MPSReport:1) Download the MPSReport from the website below:http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en2) Double-click the executable to launch the report gathering tool on both domain controllers.3) Follow the steps as guided by the Wizard.4) On the Select the diagnostics you want to run page, select General, Internet and Networking, Business Networks, and Server Components. Please zip and upload the information above to the following space: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=38d3f350-22bc-43c9-95f3-9c785ef33c94 Password: V*UsAMPslP I look forward to your response. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com

So, what I currently have:> Please confirm if you ever created those user accounts and configured the Application Pools and service run as custom account. Do the user accounts exist in the domain?No, I haven't created these accounts in domain (I have already successfully installed OCSP resonder some times, but this is my first experience installing this on domain controller) and they doesn't exist. I don't know any refference where is talksed about these accounts.> Select Application Pools, and check the identity of the DefaultAppPool and DefaultAppPool in the middle pane. By default, they are configured to run as built-in account, ApplicationPoolIdentity.yes, account is ApplicationPoolIdentity for all application pools.> Select Log On tab and check user account that the service used to logon. By default, it logs on as Local Service account.exactly.> launch the report gathering tool on both domain controllersAt this time I have only one DC. This is my own domain for PKItesting purposes.> Please zip and upload the information above to the following spacedone.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi, Thanks for the information. I did a lot of tests and noticed that those accounts are created locally and added to the polices after we installed the related roles on the server. However, according to the report of the Default Domain Controller policy you uploaded, I found that the name of the accounts are displayed incorrectly in the policies. They are should be: IIS AppPool\OCSPISAPIAppPool. IIS AppPool\DefaultAppPool. NT Service\WdiServiceHost Thats why the system cannot resolve the account name when the policy applies. Please refer to the following table and correct the policy settings accordingly: Policy Setting Adjust memory quotas for a process IIS AppPool\OCSPISAPIAppPool, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, BUILTIN\Administrators, IIS AppPool\DefaultAppPool Generate security audits NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, IIS AppPool\DefaultAppPool, IIS AppPool\OCSPISAPIAppPool Replace a process level token IIS AppPool\OCSPISAPIAppPool, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, IIS AppPool\DefaultAppPool Profile system performance BUILTIN\Administrators, NT Service\WdiServiceHost Note: When we add the accounts to the policies, we need to input their name directly (IIS AppPool\OCSPISAPIAppPool, for example) in the Add User or Group dialog box instead of click the Browse button and Check Names. If there is anything unclear, please feel free to let me know. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights.

Excellent! so, may be you know why it happens? Is this reproducable? Or this is only my local issue that incorrectaccount nameswere provided in policy?[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi, Glad that it helps. Based on my tests, it seems that those account names will be changed in the policy settings after we configure the corresponding policy. It will not occur again after we correct the account names. I have not identified the cause so far, I will report to our product team. If I get any information I will update you here. Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for your help again! I will wait any news from you.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

I also saw this error on my Domain Controllers. I was able to resolve it based on the steps outlined. Thank you! To give you an idea of my environment, 15 or so Domain Controllers, single forest, multiple sites, 2003 functional level, two 2008 R2 Domain Controllers as we are slowly upgrading DCs and through the research in my environment I believe I understand how this error is produced. One of our 2008 R2 DCs is a certificate server (intermediate CA), so obviously it has IIS installed. It writes the DefaultAppPool to 'Generate Security Audits', 'Log on as a service' and 'Replace a process level token' in the GPO Default Domain Controllers Policy under '\Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment'. This is written initially as IIS AppPool\DefaultAppPool. On other domain controllers that do not have IIS installed this is translated to a SID, *S-1-5-82-... which according to MSDN article (http://msdn.microsoft.com/en-us/library/cc234477%28v=prot.10%29.aspx) falls under the NT Authority SID range. How I created the error: When I started working at my present employer our Active Directory was a mess. Periodically, I go through GPOs and remove orphaned SIDs because a service account was deleted and another Admin didn't clean up after him. Going over our Default Domain Controller policy I notice what I think is an orphaned SID, S-1-5-82... which is actually the NT Authority SID assigned to IIS on my DC running the certificate services. I remove it thinking I have cleaned up an orphaned SID. Once the GPO refreshes, the Domain Controller running Certificate Services notices that it doesn't have the permission it needs to so it writes the DefaultAppPool back into the Default Domain Controller policy - and therein lies the apex of the error. It writes it back as DefaultAppPool, not IIS AppPool\DefaultAppPool and therefore is not assigned that important S-1-5-82-... which is under the NT Authority SID range. Other Domain Controllers only see DefaultAppPool and fail processing the GPO because they cannot resolve. One additional note when trying to add "IIS AppPool\DefaultAppPool", you must use a machine that has IIS installed. For instance, if you try and add IIS AppPool\DefaultAppPool from a machine that does not have IIS installed even if you add the account directly from "Add User or Group" it will not resolve. I used the Domain Controller with the Certificate Services installed.