When accessing your event logs you find lots of errors which include:
‘No mapping between account names and security ids was done’
What is causing the errors:
Most likely the errors are occurring because the accounts used within Group Policy have been removed from AD or the within the GPO the account name has been typed incorrectly.
How to locate the accounts causing issues:
1) First of all browse to %SYSTEMROOT%\Security\Logs and locate winlogon.log
You may find the log file does not exists
2) Access regedit (Registry)
3) Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
4) Locate ExtensionDebugLevel and set it to 2 (Decimal)
Wait for a few hours for information to populate within the logs
5) From a command prompt, run the below command:
cd c:\Windows\System32
Once you are at system32 type the below command
FIND /I “Cannot find” %SYSTEMROOT%\Security\Log\winlogon.log
5) Press enter
The results will show which account is causing issues.
6) If you are not able to locate which group policy the account is linked to, run RSoP.msc and let the wizard scan
7) Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled “Source GPO”. Note the specific User Rights, Restricted Groups and containing Source GPOs are generating errors.
Next ensure the account has been disabled and is definitely not required. Check it does not exist in AD. Ensure it’s not a system account.
(Backup GP)
Remove the account from the GP and run gpupdate /force within a command prompt. Always take a backup of GP before making changes.