Cannot apply policies that are edited with a computer running Multilingual User Interface Pack (329816)


The information in this article applies to:

  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q329816

SYMPTOMS

Permissions defined in local security settings are not applied when one of the following conditions are true:
  • You install the Multilingual User Interface (MUI) pack, and you select a non-english language as the preferred language for menus and dialog boxes.
  • You have a mixture of operating system languages installed in your domain environment.
The following messages are recorded in the application event log:
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 10/16/1999
Time: 10:13:10 am
User: N/A
Computer: Computername
Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in the Troubleshooting section in Security Help.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 10/16/1999
Time: 10:13:11 am
User: NT AUTHORITY\SYSTEM
Computer: Computername
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
The second error message occurs when you edit domain group policies on a computer that is running MUI and on which the language for the logon screen and new users (the computer language) differs from the user's user interface language. In this case, the accounts in the user rights section of the policies are written by using the computer language instead of the SID of the accounts. You can examine the Computer\Microsoft\Windows NT\SecEdit\Gpttmpl.inf file in the policy for the user names. This problem affects built-in accounts and generic accounts; it does not affect accounts in the Users container or accounts that you create.

CAUSE

When you select a language other than English in the MUI and edit group policies, the account names for the default accounts in the Group Policy files are replaced with the localized names. This causes the group policies not to be applied on English installations.

RESOLUTION

Windows XP service pack information

To resolve this problem, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Hotfix information

To resolve this problem, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Microsoft Windows XP

Date         Time   Version        Size     File name     Platform
------------------------------------------------------------------
20-Jan-2003  23:01  5.1.2600.1158  173,568  Scecli.dll    x86
20-Jan-2003  23:01  5.0.1636.1     164,352  Sceprov.dll   x86
20-Jan-2003  23:01  5.1.2600.1158  307,712  Scesrv.dll    x86
20-Jan-2003  18:59  5.1.2600.1158   16,896  Secedit.exe   x86
20-Jan-2003  23:01  5.1.2600.1158  491,008  Scecli.dll    IA-64
20-Jan-2003  23:01  5.0.1636.1     593,408  Sceprov.dll   IA-64
20-Jan-2003  23:01  5.1.2600.1158  848,896  Scesrv.dll    IA-64
20-Jan-2003  18:59  5.1.2600.1158   36,352  Secedit.exe   IA-64
20-Jan-2003  18:59  5.1.2600.1158  173,568  Wscecli.dll   IA-64
20-Jan-2003  18:59  5.1.2600.1158   16,896  Wsecedit.exe  IA-64

Note Because of file dependencies, this hotfix requires Windows XP Service Pack 1 (SP1).

Microsoft Windows 2000

Date         Time   Version          Size     File name
--------------------------------------------------------------
02-Sep-2003  18:21  5.0.2195.6748    124,688  Adsldp.dll       
02-Sep-2003  18:21  5.0.2195.6748    132,368  Adsldpc.dll      
02-Sep-2003  18:21  5.0.2195.6748     63,760  Adsmsext.dll     
02-Sep-2003  18:21  5.0.2195.6815     381,712 Advapi32.dll     
02-Sep-2003  18:21  5.0.2195.6753     69,392  Browser.dll      
02-Sep-2003  18:21  5.0.2195.6680    134,928  Dnsapi.dll       
02-Sep-2003  18:21  5.0.2195.6780     96,528  Dnsrslvr.dll     
02-Sep-2003  18:21  5.0.2195.6810     47,376  Eventlog.dll     
02-Sep-2003  18:21  5.0.2195.6759    148,240  Kdcsvc.dll       
18-Jun-2003  17:43  5.0.2195.6758    205,072  Kerberos.dll     
26-Mar-2003  21:37  5.0.2195.6695     71,888  Ksecdd.sys
01-Aug-2003  17:40  5.0.2195.6797    509,712  Lsasrv.dll       
01-Aug-2003  17:40  5.0.2195.6797     33,552  Lsass.exe        
17-Jul-2003  23:13  5.0.2195.6786    109,840  Msv1_0.dll       
02-Sep-2003  18:21  5.0.2195.6601    311,568  Netapi32.dll     
02-Sep-2003  18:21  5.0.2195.6791    361,232  Netlogon.dll     
02-Sep-2003  18:21  5.0.2195.6810    931,600  Ntdsa.dll        
02-Sep-2003  18:21  5.0.2195.6742    392,464  Samsrv.dll       
02-Sep-2003  18:21  5.0.2195.6815    113,936  Scecli.dll       
02-Sep-2003  18:21  5.0.2195.6815    259,856  Scesrv.dll       
14-Aug-2003  18:58  5.0.2195.6801  5,232,128  Sp3res.dll       
02-Sep-2003  18:21  5.0.2195.6601     51,472  W32time.dll      
16-Aug-2002  13:32  5.0.2195.6601     57,104  W32tm.exe        
02-Sep-2003  18:21  5.0.2195.6741    126,224  Wldap32.dll

Note Because of file dependencies, this update requires Windows 2000 Service Pack 4 (SP4).

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article. This problem was first corrected in Microsoft Windows XP Service Pack 2.

MORE INFORMATION

After you install MUI and modify the default language for menus and dialog boxes, all well-known security IDs (SIDs) such as Everyone, Authenticated Users, and Interactive are translated to the new language. Local security settings are stored in the %SystemRoot%\Security\database\Secedit.sdb file, which is actually a Microsoft Jet database. User and group accounts are stored as strings, not as SIDs. Therefore, for example, after you change the language with MUI, the "Everyone" string cannot be mapped to a valid SID and permissions cannot be applied if they previously included an account whose name has changed.

When you install the hotfix that is listed in this article, generic accounts are preserved as SIDs in the policy. However, built-in accounts behave differently. These accounts appear as SIDs and are also stored as such:
  • *S-1-5-32-548 (Account Operators)
  • *S-1-5-32-549 (System Operators)
  • *S-1-5-32-550 (Print Operators)
This occurs because the accounts do not exist on the member computer and cannot be resolved. The SID itself still indicates that it is a built-in account that is resolved locally. These are written back to the policy as SIDs and do not cause a problem.

These accounts are loaded as SIDs from the policy but are stored as strings in the computer language:
  • Administrators
  • Backup Operators
  • Guests
  • Pre-Windows 2000 Compatible Access
  • Replicator
  • Users
These SIDs are known on the member computer, but the language mappings cannot be performed correctly with the current design of Windows XP.

When you add accounts to a policy, these accounts are stored as the English equivalent if the computer and user language do not match:
  • Account Operators
  • Administrators
  • ANONYMOUS LOGON
  • Authenticated Users
  • Backup Operators
  • CREATOR GROUP
  • CREATOR OWNER
  • ENTERPRISE DOMAIN CONTROLLERS
  • Everyone
  • Guests
  • INTERACTIVE
  • NETWORK
  • Pre-Windows 2000 Compatible Access
  • Print Operators
  • Replicator
  • RESTRICTED
  • SELF
  • Server Operators
  • SERVICE
  • Users
This is a limitation of the object picker.

Many of the accounts with the issues that are listed in this article are used primarily in the Default Domain Controller policy. Microsoft recommends that you change this policy only while you are working on a domain controller (through Terminal Services), not when you are running MUI.

Other accounts have limited or no use in user rights assignment for domain members. It is a better idea to use global groups or user accounts to grant user rights. These accounts do not have the problem when they are stored under their names.

REFERENCES

890737 You receive a "No mapping between account names and security IDs was done" error when you edit and then save a Group Policy object in Windows XP Professional

Modification Type:MinorLast Reviewed:10/10/2005
Keywords:kbHotfixServer kbQFE kbtshoot kbWinXPsp2fix kbbug kbfix kbWinXPpreSP2fix KB329816 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.