Hi,
Thanks for posting here! Many thanks for Chris's input.
The user account like *S-1-5-32-547 is user SID, the reason that here shows
user SID rather than user account display name is ether it is not domain
valid user account or FSMO can not resolve it. There are many factors can
lead to the issue, for example: we restored server from one computer to
another, it is possible that user account can not matches between old
server and new server. And the older user account was not deleted, so the
user SID can be showed there.
If your DC works fine, you can safely delete the user account and add
appropriate user account to the group policy list.
To your second question:
There is an order to apply group policies when domain users and computers
logon to domain. Group Policy settings are processed in the following
order:
1. Local Group Policy object--Each computer has exactly one Group Policy
object that is stored locally.
2. Site--Any Group Policy objects that have been linked to the site are
processed next. Processing is synchronous and in an order that is specified
by the administrator.
3. Domain--Processing of multiple domain-linked Group Policy objects is
synchronous and in an order specified by the administrator.
4. Organizational units--Group Policy objects that are linked to the
organizational unit that is highest in the Active Directory hierarchy are
processed first, then Group Policy objects that are linked to its child
organizational unit, and so on. Finally, the Group Policy objects that are
linked to the organizational unit that contains the user or computer are
processed.
At the level of each organizational unit in the Active Directory hierarchy,
one, many, or no Group Policy objects can be linked. If several Group
Policy objects are linked to an organizational unit, their processing is
synchronous and in an order that is specified by the administrator.
This order means that the local Group Policy object is processed first, and
Group Policy objects that are linked to the organizational unit of which
the computer or user is a direct member are processed last, which
overwrites the earlier Group Policy objects.
And the Default Domain Controller Policy Settings is applied to OU (the
domain controller - the SBS server box) and the Default Domain Policy
Settings is applied to Domain. So the Default Domain Controller Policy
Settings will take effect eventually and by default it will override
settings of the Default Domain Policy settings if there is conflict.
For you want to control users logon the server locally, you need configure
settings of the Default Domain Controller Policy. You can refer to the
following steps to add user accounts who you want to logon the server
locally to the list of "Allow logon locally" policy:
1. Locate the Default Domain Controllers and right click it to choose Edit
to open Group Policy Object Editor.
2. Expand Computer configuration, Windows Settings, Security Settings,
Local Policies, User right assignment.
3. Find the "Allow logon locally" and double click it to open configuration
page and add user accounts here.
4. And then run command line "gpupdate"(no quotation marks) on the server
box to update the group policy.
5. Logoff users from client workstations and then re-logon and run command
"Gpupdate /force" (no quotation marks) to refresh the group policy.
For more detail information to group policy, you can take look at the
following articles. Hope it useful to you!
Order of processing settings
http://www.microsoft.com/technet/pro.../library/Serve
rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx
Order of events when starting up and logging on
http://www.microsoft.com/technet/pro.../library/Serve
rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx
Articles for Group Policy:
http://www.microsoft.com/technet/pro.../library/Serve
rHelp/6eed436f-5b05-4eaa-9525-c0c429fcf9f6.mspx
Group Policy Overview:
http://www.microsoft.com/technet/pro.../library/Serve
rHelp/6eed436f-5b05-4eaa-9525-c0c429fcf9f6.mspx
Create or delete a Group Policy object
http://www.microsoft.com/technet/pro.../library/Serve
rHelp/4f8dd800-e0e3-44a6-8a4a-d3d34b245fe7.mspx
Troubleshooting Group Policy application problems
http://support.microsoft.com/kb/250842/EN-US/
Group Policy Template Behavior in Windows Server 2003
http://support.microsoft.com/default...b;en-us;316977
I hope above information is useful to you! I am happy to be assistance of
you and look forward to your reply!
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! -
www.microsoft.com/security
================================================== ====
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Chris" <>
>References: <52550CEC-9B48-4DB3-BABD->
>Subject: Re: Unknown account user...
>Date: Wed, 9 Nov 2005 16:11:45 -0500
>Lines: 38
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: h157.184.141.67.ip.alltel.net 67.141.184.157
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP15.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:220606
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>What you have found is and orphaned user. This was a user created on the
>machine and then the workstation was disjoined from domain or the
>computername changed. You can safely delete this user. There is no concern
>for alarm.
>
>
>"Dhow" <> wrote in message
>news:52550CEC-9B48-4DB3-BABD-...
>>I have an 'Account Unknown' with this name: *S-1-5-32-547
>> I don't know whose this user belong to, because I've checked in Active
>> Directory Users and Computers but there is no such account.
>> Yet I found it beeing recorded (and given access) in these Default Domain
>> Controller Security Settings Properties (in User Rights Assignment):
>> - Access this computer from the network
>> - Allow log on locally
>> - Bypass traverse checking
>> - Change the system time
>> - Profile single process
>> - Remove computer from docking station
>> - Shut down the system
>>
>> I'm very affraid if this user is somekind of account made by hackers, in
>> order for them to use it to get into the domain controller... Please
help
>> me
>> identify this situation.
>>
>> Can anyone tell me more about the diffrence between Default Domain
>> Controller Settings & Default Domain Settings?
>> If I wish to make certain user accounts at some workstations computers,
>> not
>> to be able to logon to server locally, where should define this 'Allow
log
>> on
>> locally setting' at: Default Domain Controller Settings or Default Domain
>> Settings?
>>
>> Thanks alot!
>
>
>
Similar Threads
Linear Mode
