It is Sunday morning and I had to work very early to do some testing after a migration. There is also a lot of waiting involved so i resolved to run some checks on the health of our domain controllers. We had a lot of SceCli event 1202 warnings on every single DC.
Those errors are potentially caused by an account that was deleted or not replicated correctly. That account is also part of the User Rights Assignment policy, most commonly on the “Logon as a service” settings.
Search for “Cannot find”
In my case I found the following:
Error 1332: No mapping between account names and security IDs was done.
Cannot find postgres_eip.
That means that the account postgres_eip does not match the SID Active Directory expects it to have. (as it no longer exists!)
To resolve the issue, find the policy that contains the User Rights Assignment, find that account and remove it.
Enjoy the rest of your Sunday!