none
Local users do not show up in the "Users" folder under Local Users and Groups MMC

    Question

  • We are running a Windows 2003 Standard server SP2, and have a problem where the
    local users do not show up in the "Users" folder under Computer Management >
    Local Users and Groups. Furthermore, if I run the snap-in directly
    (lusrmgr.msc), the same thing happens - the Users folder says "There are no
    items to show in this view." The Groups show up just fine, and you can see
    the users as members of those groups. You can also still login as these
    local users, even though they don't show up.

    The server is a standalone workgroup and not member of any DC

    I've done a lot of research on this, both online and trying everything I can
    on the server. He's the results of my testing on the server:

    1. I can give myself full control rights to the SAM\SAM key in the registry,
    which lets me see not just the SID of the local users on the server, but also
    the actual names associated with them.

    2. I can do a NET USER and get a list of every local user on the system.

    3. I can type "control userpasswords2" at a RUN prompt and get the old user
    management console from the older NT systems and THE USERS SHOW UP.

    4. When running the Computer Management MMC, or when running the lusrmgr.msc
    file, the users do not show up - but the local groups do.

    5. When connecting from a remote server using MMC same results as local MMC.
    Saturday, December 19, 2009 4:50 AM

Answers

  • Thank you for the suggestion, I executed the script on "Users" group and most regular accounts that were members of "Users" returned following. It does not appear to be anything out of ordinary unless im mistaken.

    Member Name: Test2212 (User)
      Primary Group ID: 513
      UserFlags: &H1, &H200

    Do you have any other suggestions we can try?

    Saturday, December 19, 2009 8:25 PM
  • Hi There,

    If you are able to enumerate the users using NET USE then there might be problem with the snapin , i would suspect a corruption.

    You could use File mon / procmon to understand what are the files which are getting referenced when you call lusrmgr.msc and then compare the result with the failure with success machine.

    Procedure :

    download procmon from sysinternals

    run the procmon

    Then open lusrmgr.msc

    click the user folder

    once you see that no users are populating , stop the procmon

    Repeat the above procedure on the system which is working

    use winmerge utility to compare the results from 2 machines.

    For further troublehsooting you could also use process explorer to check the call stack of lusrmgr.msc to check if any of the dll is missing
    Monday, December 21, 2009 2:27 AM
    Moderator

All replies

  • Possibly the objects are members of the local groups, but somehow not recognized as normal users (at least by the MMC). I would suggest running a VBScript program to enumerate all members of one of the groups to check if they are normal users. For example:

    Option Explicit
    
    Dim strComputer, strGroup, objGroup, objMember
    
    ' Specify name of computer.
    strComputer = "MyServer"
    
    ' Specify name of local group.
    strGroup = "MyTestGroup"
    
    ' Bind to group object.
    Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ",group")
    
    ' Enumerate direct members of group.
    For Each objMember In objGroup.Members
        Wscript.Echo "Member Name: " & objMember.Name & " (" & objMember.Class & ")"
        If (objMember.Class = "User") Then
            Wscript.Echo "  Primary Group ID: " & CStr(objMember.primaryGroupID)
            Wscript.Echo "  UserFlags: " & UserFlags(objMember.userFlags)
        End If
        If (objMember.Class = "Group") Then
            Wscript.Echo "  Group Type: " & CStr(objMember.groupType)
        End If
    Next
    
    Function UserFlags(ByVal intFlag)
        Dim k, intConst
    
        Const ADS_UF_SCRIPT = &H01
        Const ADS_UF_ACCOUNTDISABLE = &H02
        Const ADS_UF_HOMEDIR_REQUIRED = &H08
        Const ADS_UF_LOCKOUT = &H10
        Const ADS_UF_PASSWD_NOTREQD = &H20
        Const ADS_UF_PASSWD_CANT_CHANGE = &H40
        Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = &H80
        Const ADS_UF_TEMP_DUPLICATE_ACCOUNT = &H100
        Const ADS_UF_NORMAL_ACCOUNT = &H200
        Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = &H800
        Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &H1000
        Const ADS_UF_SERVER_TRUST_ACCOUNT = &H2000
        Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
        Const ADS_UF_MNS_LOGON_ACCOUNT = &H20000
        Const ADS_UF_SMARTCARD_REQUIRED = &H40000
        Const ADS_UF_TRUSTED_FOR_DELEGATION = &H80000
        Const ADS_UF_NOT_DELEGATED = &H100000
        Const ADS_UF_USE_DES_KEY_ONLY = &H200000
        Const ADS_UF_DONT_REQUIRE_PREAUTH = &H400000
        Const ADS_UF_PASSWORD_EXPIRED = &H800000
        Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = &H1000000
    
        UserFlags = ""
        intConst = 1
        For k = 1 To 25
            If ((intFlag AND intConst) <> 0) Then
                If (UserFlags = "") Then
                    UserFlags = "&H" & Hex(intConst)
                Else
                    UserFlags = UserFlags & ", &H" & Hex(intConst)
                End If
            End If
            intConst = 2 * intConst
        Next
    
    End Function
    This should be run at a command prompt using the cscript host. The output can be redirected to a text file. Modify the name of the computer and the name of the local group in the script. This program documents the "class" of all members of the group. If the member is a group, it documents the group type. If the member is a user, it documents the primary group ID (the RID of the primary group) and the userFlags property. The meaning of the flag mask bits is documented in the script. For example: &H200, &H10000 means normal user account, don't expire password. Maybe this information will help.

    Richard Mueller
    MVP ADSI
    Saturday, December 19, 2009 5:48 PM
  • Thank you for the suggestion, I executed the script on "Users" group and most regular accounts that were members of "Users" returned following. It does not appear to be anything out of ordinary unless im mistaken.

    Member Name: Test2212 (User)
      Primary Group ID: 513
      UserFlags: &H1, &H200

    Do you have any other suggestions we can try?

    Saturday, December 19, 2009 8:25 PM
  • Looks normal. Confirms the members have class "User" and normal value for userFlags attribute. I'm out of ideas.

    Richard Mueller
    MVP ADSI
    Saturday, December 19, 2009 8:54 PM
  • Hi There,

    If you are able to enumerate the users using NET USE then there might be problem with the snapin , i would suspect a corruption.

    You could use File mon / procmon to understand what are the files which are getting referenced when you call lusrmgr.msc and then compare the result with the failure with success machine.

    Procedure :

    download procmon from sysinternals

    run the procmon

    Then open lusrmgr.msc

    click the user folder

    once you see that no users are populating , stop the procmon

    Repeat the above procedure on the system which is working

    use winmerge utility to compare the results from 2 machines.

    For further troublehsooting you could also use process explorer to check the call stack of lusrmgr.msc to check if any of the dll is missing
    Monday, December 21, 2009 2:27 AM
    Moderator