When running the AD Best Practices on Server 2008, you may receive the following error:
The AD DS BPA should be able to collect data about Group Policy Results setting “Access this computer from the network” from the domain controller <DCNAME>
Check the XML log file for a more detailed error message. It can be found by default in ‘Logs\BPA\Reports\Microsoft\Windows\DirectoryServices‘ in your %systemroot% as ‘DirectoryServices_EngineReport.xml‘. Look for a section called <Error>. There will be a Message section with a somewhat more useful error. In this case, it was ‘Some or all identity references could not be translated.’, which would indicate that a deleted account is still referenced somewhere on a GPO. Unfortunately it doesn’t tell you which GPO has this error.
To find the GPO at fault, open up Group Policy Management Console, and back up your GPOs manually. Right-click the Group Policy Objects container, and choose Back Up All. As it is backing up, it will eventually give you an error on whichever GPO has the outdated SID:
GPO: Default Domain Controllers Policy…Succeeded, but note the following issues:
[Warning] The security principal [S-1-5-21-940797813-2055044403-441284377-1536] referenced in extension [Security] cannot be resolved, but the task will continue.
Fix the referenced GPO, and re-run BPA.