Events 1003, 1202, 1000 occuring every 2hrs, help 1

[Xaqte]

My server is SP3, and no changes have been implemented on this server in the last month. It is a member server of our domain.
The errors are as follows:
Event ID: 1003
Source: SceSrv
Description: Policy change from LSA/SAM can't be saved in the policy storage. Error 1208 to save policy change for account S-1-5-21-854245398-602162358-839522115-500 in the local security policy database. For more debugging information, please look security\logs\scepol.log under Windows root.

Event ID:1202
Source: SceCli
Description: Security policies are propagated with warning. 0x4b8: An extended error has occured.

Event ID:1000
Source: Userenv
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1208)

Again, nothing has changed recently (software, policy, or other). This server has been in use for a few years as well.
Any thoughts/experience would greatly be appreciated! I'm just overly concerned on why this would happen out of the blue, since nothing has changed.

Thanks,

X

 

[itsp1965]

A SID ending in 500 refers to an administrator or domain administrator acct. Is it possible that it's having in issue in trying to apply the policy to an administrator account?
Check

http://www.eventid.net

regarding the error codes you are receiving and you can use the SID2USER tool (

http://www.ntbugtraq.com)

to identify the user that the policy is being applied to.

 

[Xaqte]

I'm a little lost with what eventid.net gave me, thats why I thought you chaps could help.

According to eventid.net:

Error code 0x4b8 (decimal 1208) - "An extended error occurred". See Q260715 - A conflict in Group Policy can cause these events to occur. These error messages can occur if the "Rename Administrator Account" security policy is enabled and then set to an account name that is already in use. Also, as per Q285903, to resolve this behavior, remove all references to the Power Users group in the Local Security settings.

Resolution from:MS's Q260715

RESOLUTION
To resolve this issue, either disable the "Rename Administrator Account" policy or configure the policy to use an account name that does not exist. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
259576 (

http://support.microsoft.com/kb/259576/EN-US/)

Group Policy Application Rules for Domain Controllers
258595 (

http://support.microsoft.com/kb/258595/EN-US/)

Gpresult Does Not Enumerate Resultant Computer Security Policy

Now, since this is not the domain controller... wouldn't I need to check these policy settings on the domain controller?

Thanks again,

X

 

[itsp1965]

It looks like there is a group policy or a local security policy setting to rename the administrator acct is failing. Take a look to see if you have this type of policy in effect and disable it or have it modified.

 

[Xaqte]

Ok, I think I found my fix. This seemed to work in a test evironment, I'll post back with live results when available.
As per itsp1965, I checked the local policy:
Local Computer Policy > Computer Config > Windows Settings > Security > Local Policies > Security Options

This resulted in the following error msg:
Windows cannot open the loacal policy database
An unknown error occured when attempting to open the database

I then found this page.

How their solution steps applied to me:
Step 1: Database integrity appeared fine
Step 3: didn't work
Step 4: Completed, but couldn't remove the logs afterwards without going into safe mode

It appears the events are gone. Like I said I'll post back once live.

I hope this helps somebody else!

X