I've been chasing a problem relating to AD security and found that my Account Operators principal isn't being applied correctly - I have a customized User Rights Assignment policy and the Log On Locally option throws
1202 Scecli error (0x534 : No mapping between account names and security IDs was done.)
Following the error code and researching it out, the common fix is to delete the offending account or SID, but this one is a built-in security principal so.... no.
Does anyone have an idea on how to fix this? Or should I just suck it up and delete/recreate the user rights assignment policy? I'm hesitant to erase this customization because our backup software needs it, and I have a feeling if I recreate it from scratch the same problem is going to pop up so I'd rather have a fix for this issue. I am not sure why this failing, as I merely added the backup agent account to it, and 'account operators' was already present in this option by default.
I ended up fixing this by deleting the settings in question and using the default domain policy's default settings. Fortunately it appears that the rights needed are already granted by the default policy, I am not sure why this was customized in the first place.