S-1-5-19 Object translation errors.

  • Thread starter Thread starter Anon
  • Start date Start date
A

Anon

Our current network is as follows.

One Domain
two Windows 2003 servers
one Windows 2000 server

Everything was fine a few month ago. After a reboot of my
2000 server, I noticed I could not give "Act as part of
the operating system" privilege to my Local Service
account under 2000 server. I am able to do so on both the
2003 boxes. It seems my 2000 server can not translate the
ForgeinSecurityPrincipals for S-1-5-19 (Local Service"

Because of this, I am forced to run a lot of my services
using the Domain\administrator account which casused
problems.
 
Hello,

AFAIK, the LocalSystem account is not a foreign security principal, so the
error message that you are seeing may be misleading. Is the machine a
domain controller?

Could you tell me why you need to grant this right to LocalSystem? Was this
done to resolve some problem that occurred with services starting after the
reboot?

I have not seen an application or service that required this to set
manually.

Do you have any messages in the event logs (System and Application)?

Dale Weiss MCSA MCSE CISSP
PSS Security

This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm
 
Hello, Dale for your response.

The computer in question is a DC.
I have been having problems with services not being able
to start under local system, I did some research and
noticed that the "Local Service" account S-1-5-19 did not
have the "Act as part of the operating system"

Trying to give it that privilige (DEFAULT DOMAIN gpo)
I got the following error:
"Processing Local Service failed with the following Error:
Name Translation: Generic Proccessing error"

I noticed a few other things
1. I am unable to see S-1-5-19 listed
in "ForeignSecurityPrincipals"
2. In Application event viewer I noticed errors stating
that the DCOM service could not run because
it was using an invalid account.
3. In System Log, the error was .. S-1-5-19 does not have
the required priviliages.
4. In the GPO I see the sid s-1-5-19 not Local Service
I hope this made sense.
 
Hello,

How did you determine that the System account did not have this right?

I looked in GPEDIT.MSC on my DC and I did not see the System Account listed
there and I also am not seeing any problems.

Could you give me some more deatils on what Is and is not working when you
run the services under the System account?

Dale Weiss MCSA MCSE CISSP
PSS Security

This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms
specified at http://www.microsoft.com/info/cpyright.htm
 
Back
Top