Platform: Win2008R2 SP1 64bit My task is to modify the existing Local Security Policy via script to add and remove IIS AppPool identities (using the virtual accounts in Win2008R2). If I add the users to the policy via the Local Security Policy Administrative tool, and then export the policy via secedit.exe, the result will look like SeAuditPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-82-1036420768-1044797643-1061213386-2937092688-4282445334,DefaultAppPool Note the user account is listed as a username, and not a SID. If I create a security template using the Security Template MMC snap-in, and save the .inf, the result is the same, the user is saved as 'DefaultAppPool' So both tools, treat this type of account the same. And it should be noted, there is no problem adding/removing this account via the Local Security Policy tool under administrator tools. But any attempt to import a policy via secedit with any IIS Application Pool account names in the file will result in errors. using secedit.exe /configure /db secedit.sdb /cfg c:\test.inf In the scesrv log it will say: Configure DefaultAppPool ERROR 1332: No mapping between account names and security IDs was done. And when you open the Local Security Policy tool, the account 'DefaultAppPool' is not listed in the polices any longer. I've tried adding the account via SID by manually modifying the inf file and adding in *S-blah-blah Doing that, I can get the names to show up in the Local Security Policy tool - but then there appears to be an inconsistency as the tool will error if you try to edit the policy leading to entries missing. It appears that the secedit /configure option refuses to accept Virtual Accounts If I repeat the same tests with a normal local user account, the tool will update the policy successfully (but it will still complain in the log about DefaultAppPool on other existing entries)

Hi, Thanks for posting in Microsoft TechNet forums. Here is another thread with the same "1332" error. I suggest we check the information in this thread to see if it can be helpful in your situation. Winlogon.log - No mapping between account names and SIDs http://social.technet.microsoft.com/Forums/sr/windowsserver2008r2general/thread/b343f260-e3a4-4c9b-8024-a0e3ac9dc163 Regards Kevin

Hi, Thanks for posting in Microsoft TechNet forums. Here is another thread with the same "1332" error. I suggest we check the information in this thread to see if it can be helpful in your situation. Winlogon.log - No mapping between account names and SIDs http://social.technet.microsoft.com/Forums/sr/windowsserver2008r2general/thread/b343f260-e3a4-4c9b-8024-a0e3ac9dc163 Regards Kevin Hi, a link in that thread shows a very similar error - with possibly the same root cause - but it doesn't solve my issue. The kb at http://support.microsoft.com/kb/977695 - sounds identical, except related to Group Policy Template editing instead of Local Security Policy editing. I also can't relate the workaround because I don't have GPO templates to edit. Using the secedit command line to import also results in the same error.. even if I use the SID instead of account name. However the hotfix linked in that kb will not apply itself to my win2008R2SP1 64bit install. The installer checks itself and says it doesn't apply. I don't know if that's because this hotfix is rolled into someone later? The box is fully updated with all important and optional updates from windows update.

Turns out this is a bug in Windows. Hotfix available at http://support.microsoft.com/kb/2411938

Hi, Thanks for sharing your solution with us. It can be helpful to other community members who face similar problems. Have a nice day. Best Regards Kevin