2008 BPA for AD Group Policy “Access to this computer” Error

When running the AD Best Practices on Server 2008, you may receive the following error:

The AD DS BPA should be able to collect data about Group Policy Results setting “Access this computer from the network” from the domain controller <DCNAME>

Check the XML log file for a more detailed error message.  It can be found by default in ‘Logs\BPA\Reports\Microsoft\Windows\DirectoryServices‘ in your %systemroot% as ‘DirectoryServices_EngineReport.xml‘.  Look for a section called <Error>.  There will be a Message section with a somewhat more useful error.  In this case, it was ‘Some or all identity references could not be translated.’, which would indicate that a deleted account is still referenced somewhere on a GPO.  Unfortunately it doesn’t tell you which GPO has this error.

To find the GPO at fault, open up Group Policy Management Console, and back up your GPOs manually.  Right-click the Group Policy Objects container, and choose Back Up All.  As it is backing up, it will eventually give you an error on whichever GPO has the outdated SID:

GPO: Default Domain Controllers Policy…Succeeded, but note the following issues:

[Warning] The security principal [S-1-5-21-940797813-2055044403-441284377-1536] referenced in extension [Security] cannot be resolved, but the task will continue.

Fix the referenced GPO, and re-run BPA.