Tool for Security IDs (SID)

[Allison Wright]

I noticed in our domain controller winlogon logs that
there is SID that cannot be mapped to an account name. It
generates the following error:

Error 1332: No mapping between account names and security
IDs was done. Cannot find S-1-...(the SID)

Is there a tool or a way of identifying what the SID used
to belong to? We are in a native mode Windows 2000 domain
(all servers w/current Service Pack).

Thank you,
Allison

 

[Tim Hines [MSFT]]

There are tools that resolve a sid to a name and vice versa but they only
work if the object still exists. In your winlogon log you should see the
name of the user or group that cannot be resolved. An example is

Configure Power Users.
Error 1332: No mapping between account names and security IDs was done.
Cannot find Power Users.

I find it strange that the your error is "Cannot find S-1-...(the SID)". Do
you know if a user or group was created with the name S- (the sid)? You
can see if it actually shows up in any of the group policies by running the
following command

find /I "thesid" c:\winnt\security\templates\policies\gpt*.*

If it is found, then open the file and look for the gpopath attribute to
determine the policy guid. Open that policy that matches the guid and look
for the (the SID) in the user rights section and remove it if it exists.


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Allison Wright]

Thank you for your response. Actually what I meant by
typing (the SID) was I did not want to type out the entire
acutal SID.