How to determine user behind unknown SID listed in User Rights Assignments?

G

Guest

I have an unknown SID (not one of the well-known ones) listed under some
user rights assignments in GP. The only registry reference to it is under
the HKLM\SECURITY\Policy\Accounts key. How do you determine which user this
is? The SID in question is S-1-5-domain-1137. There is also
S-1-5-domain-1135, S-1-5-domain-1136 and S-1-5-domain-1139. Not sure what
these are either.
 
N

Nick Finco [MSFT]

If you have some knowledge of C and a compiler (like Visual Studio), you can
create a utility to call LsaLookupSids to determine the corresponding
username. You could also open the Local Security Policy for that machine
and view which users are assigned to that user right. You won't know which
Sid maps to which user but at least you'll know what users are assigned to
that right.

N
 
E

Edward B. Hethcote

Look for a utilty called sid2name.exe - (it probably won't find any user
though) if they are sequential SIDs, they could be SMS related. Probably
just deleted accounts. After deleting an account, GPo references to the sid
are not cleaned up.

BH
 
G

Guest

I'm on a domain controller so local policies are not defined. Can't seam to
find sid2name.exe. I guess I could just delete the unknown SID and hope for
the best. Big SID strings makes GP hard to read. Seams kind of stupid
though.

Thanks
 
G

Guest

In trying your FindSID.js script, automation fails to create...... new ActiveXObject("gpmgmt.GPM"). I use the Group Policy Management Console (GPMC) but the "gpmgmt.GPM" progID is unknown on my machine. Are we talking about the same GPMC or is it a separate download?
 
M

Mike Treit [MSFT]

GPMC is a separate download. It's a stand-alone tool that we just released a few months back.

You can get it from:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

You need a Windows XP SP1 machine + the .NET framework, or a Windows Server 2003 machine, in order to run GPMC. It doesn't run on Windows 2000, though it can be used from a an XP or later box to manage your Windows 2000 domains.

-Mike
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

partial and full SIDs in gpo's? 4
User RIghts Assignment showing a SID 1
"Unknown User Accounts" 5
How to open LSA API on Win2k in order to determine if a computer is member of domain 3
copying "account unknown" user profile to good user account. 4
Local Security Policy 1
GP user settings does not apply - W2000 TS 2
Add workstations to Domain rights? 2

Top