2008 BPA for AD Group Policy 'Access to this computer' Error

When running the AD Best Practices on Server 2008, you may receive the following error: > The AD DS BPA should be able to collect data about Group Policy Results setting “Access this computer from the network” from the domain controller Check the XML log file for a more detailed error message. It can be found by default in ‘Logs\BPA\Reports\Microsoft\Windows\DirectoryServices’ in your %systemroot% as ‘DirectoryServices_EngineReport.xml’. Look for a section called . There will be a Message section with a somewhat more useful error. In this case, it was ‘Some or all identity references could not be translated.’, which would indicate that a deleted account is still referenced somewhere on a GPO. Unfortunately it doesn’t tell you which GPO has this error.

To find the GPO at fault, open up Group Policy Management Console, and back up your GPOs manually. Right-click the Group Policy Objects container, and choose Back Up All. As it is backing up, it will eventually give you an error on whichever GPO has the outdated SID:

GPO: Default Domain Controllers Policy…Succeeded, but note the following issues: > [Warning] The security principal [S-1-5-21-940797813-2055044403-441284377-1536] referenced in extension [Security] cannot be resolved, but the task will continue. Fix the referenced GPO, and re-run BPA.