Unknown account user...

Discussion in 'Windows Small Business Server' started by Dhow, Nov 9, 2005.

  1. Dhow

    Dhow Guest

    I have an 'Account Unknown' with this name: *S-1-5-32-547
    I don't know whose this user belong to, because I've checked in Active
    Directory Users and Computers but there is no such account.
    Yet I found it beeing recorded (and given access) in these Default Domain
    Controller Security Settings Properties (in User Rights Assignment):
    - Access this computer from the network
    - Allow log on locally
    - Bypass traverse checking
    - Change the system time
    - Profile single process
    - Remove computer from docking station
    - Shut down the system

    I'm very affraid if this user is somekind of account made by hackers, in
    order for them to use it to get into the domain controller... Please help me
    identify this situation.

    Can anyone tell me more about the diffrence between Default Domain
    Controller Settings & Default Domain Settings?
    If I wish to make certain user accounts at some workstations computers, not
    to be able to logon to server locally, where should define this 'Allow log on
    locally setting' at: Default Domain Controller Settings or Default Domain
    Settings?

    Thanks alot!
     
    Dhow, Nov 9, 2005
    #1
    1. Advertisements

  2. Dhow

    Chris Guest

    What you have found is and orphaned user. This was a user created on the
    machine and then the workstation was disjoined from domain or the
    computername changed. You can safely delete this user. There is no concern
    for alarm.
     
    Chris, Nov 9, 2005
    #2
    1. Advertisements

  3. Hi,

    Thanks for posting here! Many thanks for Chris's input.

    The user account like *S-1-5-32-547 is user SID, the reason that here shows
    user SID rather than user account display name is ether it is not domain
    valid user account or FSMO can not resolve it. There are many factors can
    lead to the issue, for example: we restored server from one computer to
    another, it is possible that user account can not matches between old
    server and new server. And the older user account was not deleted, so the
    user SID can be showed there.

    If your DC works fine, you can safely delete the user account and add
    appropriate user account to the group policy list.

    To your second question:

    There is an order to apply group policies when domain users and computers
    logon to domain. Group Policy settings are processed in the following
    order:

    1. Local Group Policy object--Each computer has exactly one Group Policy
    object that is stored locally.

    2. Site--Any Group Policy objects that have been linked to the site are
    processed next. Processing is synchronous and in an order that is specified
    by the administrator.

    3. Domain--Processing of multiple domain-linked Group Policy objects is
    synchronous and in an order specified by the administrator.

    4. Organizational units--Group Policy objects that are linked to the
    organizational unit that is highest in the Active Directory hierarchy are
    processed first, then Group Policy objects that are linked to its child
    organizational unit, and so on. Finally, the Group Policy objects that are
    linked to the organizational unit that contains the user or computer are
    processed.

    At the level of each organizational unit in the Active Directory hierarchy,
    one, many, or no Group Policy objects can be linked. If several Group
    Policy objects are linked to an organizational unit, their processing is
    synchronous and in an order that is specified by the administrator.

    This order means that the local Group Policy object is processed first, and
    Group Policy objects that are linked to the organizational unit of which
    the computer or user is a direct member are processed last, which
    overwrites the earlier Group Policy objects.

    And the Default Domain Controller Policy Settings is applied to OU (the
    domain controller - the SBS server box) and the Default Domain Policy
    Settings is applied to Domain. So the Default Domain Controller Policy
    Settings will take effect eventually and by default it will override
    settings of the Default Domain Policy settings if there is conflict.

    For you want to control users logon the server locally, you need configure
    settings of the Default Domain Controller Policy. You can refer to the
    following steps to add user accounts who you want to logon the server
    locally to the list of "Allow logon locally" policy:

    1. Locate the Default Domain Controllers and right click it to choose Edit
    to open Group Policy Object Editor.
    2. Expand Computer configuration, Windows Settings, Security Settings,
    Local Policies, User right assignment.
    3. Find the "Allow logon locally" and double click it to open configuration
    page and add user accounts here.
    4. And then run command line "gpupdate"(no quotation marks) on the server
    box to update the group policy.
    5. Logoff users from client workstations and then re-logon and run command
    "Gpupdate /force" (no quotation marks) to refresh the group policy.

    For more detail information to group policy, you can take look at the
    following articles. Hope it useful to you!
    Order of processing settings
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
    rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx

    Order of events when starting up and logging on
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
    rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx

    Articles for Group Policy:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
    rHelp/6eed436f-5b05-4eaa-9525-c0c429fcf9f6.mspx

    Group Policy Overview:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
    rHelp/6eed436f-5b05-4eaa-9525-c0c429fcf9f6.mspx

    Create or delete a Group Policy object
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
    rHelp/4f8dd800-e0e3-44a6-8a4a-d3d34b245fe7.mspx

    Troubleshooting Group Policy application problems
    http://support.microsoft.com/kb/250842/EN-US/

    Group Policy Template Behavior in Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;en-us;316977

    I hope above information is useful to you! I am happy to be assistance of
    you and look forward to your reply!

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
     
    Jenny wu [MSFT], Nov 10, 2005
    #3
  4. Dhow

    Dhow Guest

    To Jenny Wu,

    Thank so much for your (& Chris too) assistance.

    About diffrence between Default Domain Controller Settings & Default Domain
    Settings is that the Win SBS 2003 Default Domain Controller Settings will
    overide and be loaded after the Default Domain Settings, thus it'll make most
    changes even there are conflict with Default Domain Settings... is this
    correct?

    How about if I change the "Allow logon locally" value at Default Domain
    Settings instead, and leave the value at Default Domain Settings "Not
    defined"? Will the result that the "Allow logon locally" value will become
    "Not defined" because the Default Domain Controller Settings overide it?

    Could you pease help me to solve the situation about WindowsSharePoint 2.0
    (EventID:1000) I also have: it always make report that "#50070: Unable to
    connect to database STS_Config on <ServerName>\SharePoint."
    What went wrong there?

    Thank you for your information & help.
     
    Dhow, Nov 10, 2005
    #4
  5. Hi,

    Thanks for your update! I am glad to know that information helpful to you.

    The Default Domain Controller Policy Settings is applied to OU: the SBS
    server box, this means that the policy take effects to the only one
    computer. However the Default Domain Policy Settings is applied to Domain,
    this means that the policy takes effects to all objects in the domain (user
    accounts, computers, OUs and sites). Surely that includes the domain
    controller. When the both group policies are all configured one policy
    setting (such as: Allow logon locally) to one object, the Default Domain
    Controller policy will override the Default Domain policy. If not, the
    setting will not be overridden. In another way, the DC computer only be
    controlled by the Default Domain Controller policy, and other objects of
    the domain will be controlled by the Default Domain Policy.

    So if you configured "Allow logon locally" setting of the Default Domain
    Policy, only groups or users you added to allow logon list can logon
    locally to domain computers. The user account doesn't list here will not
    logon client computers locally.

    If you want to control users logon to the server box, you need configure
    the Default Domain Controller policy. And the setting of the Default Domain
    policy will be configured if you want to control logon to other domain
    computers.

    To the Sharepoint question, I suggest you create a new thread for the issue
    and I will continue work with you. Microsoft engineers can only focus on
    one issue per thread. And this way can keep the thread clean and other
    partners can either share their knowledge or learn from your interaction
    with us. Thank you for your understanding.

    I am happy to be assistance of you and look forward to work with you again!

    Have a nice day!

    Sincerely,

    Jenny Wu
    Microsoft CSS Online Newsgroup Support
    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
     
    Jenny wu [MSFT], Nov 11, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.