![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 90%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
6,974 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting question on Microsoft Windows forum!
Based on Error Code: 0x80070534 generated when running the GPO result. This error code typically indicates that the Group Policy is referencing a security principal a user, group, or computer account whose Security Identifier SID can’t be resolved. In other words, there’s a “no mapping” issue between account names and SIDs. You can try the following potential troubleshooting steps.
1.Examine the GPO Settings and Security Filtering.
- Open the Group Policy Management Console and review the properties of the affected GPO. Check the Delegation and Security Filtering tabs for any accounts or groups that appear as unknown or are represented only by a SID. It’s common for this to happen if an account was deleted, renamed, or migrated without updating references. Removing or updating these outdated entries can resolve the error.
2.Use RSoP (Resultant Set of Policy).
- Open rsop.msc on the affected machine.
- Navigate to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment and Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Restricted Groups.
- Look for any settings flagged with a red 'X'. These indicate a problem. The "Source GPO" column will tell you which GPO contains the problematic setting.
3.Inspect Active Directory for Orphaned SIDs.
- Use Active Directory Users and Computers to verify that all accounts referenced by the GPO exist and are active. If you discover that the GPO is referencing a deleted or moved account, update the policy accordingly. This ensures that every SID in the GPO maps to a valid security principal.
4.Review the Event Viewer Logs.
- On the Domain Controller, check the Event Viewer (particularly under the System, Application, and Group Policy Operational logs) for additional error details. The logs may pinpoint which specific account or object is causing the error and offer clues on how to correct the configuration.
5.Check GPO Permissions.
- While less likely for this specific error, it's always good to ensure that the Authenticated Users group has Read and Apply Group Policy permissions on the problematic GPO. You can check this in the Group Policy Management Console under the "Delegation" tab of the GPO.
You can refer below article for more information about this issue.
Hope the above information is helpful!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 65%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)