When I looked in the Application log on my server, I discovered numerous entries, every 5 minutes:

Event Type: Warning                              Event Source: SceCli                              Event Category: None                              Event ID: 1202                              Date: 10/16/1999                              Time: 10:13:10 am                              User: N/A                              Computer: COMPUTERNAME                              Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs                                           was done. Please look for more details in TroubleShooting section in Security Help.
Event Type: Error                              Event Source: Userenv                              Event Category: None                              Event ID: 1000                              Date: 10/16/1999                              Time: 10:13:11 am                              User: NT AUTHORITY\SYSTEM                              Computer: COMPUTERNAME                              Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
To find the problem:

1. I navigated to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtension\\{827...\} and Added Value name ExtensionDebugLevel as a type REG_DWORD, setting it to 2. This turned on logging for Winlogon.

2. At a CMD prompt, I typed:

    secedit /refreshpolicy machine_policy /enforce to create %SystemRoot%\Security\logs\Winlogon.log.

3. After inspecting Winlogon.log, I discovered that someone at Microsoft failed to learn the basics of database design, and did not implement referential integrity.

I had recently uninstalled IIS on my Windows 2000 Server. The initial install created the IUSR_... and IWAM_... accounts and assigned users rights. The uninstall removed these accounts, but failed to remove them from User Rights Assignment.

The fix was to manually remove the accounts from the from User Rights Assignment at Administrative Tools / Local Security Policy / Local Policies.