locked
Unknown SID - How can I find out more info about when it was created etc.. RRS feed

  • Question

  • Having just implemented 2008DC's in the 2003 Forest, I have noticed an unknown SID. i'm trying to find out more about this SID
    does anyone know how I can find out when this account was created/deleted ?
    s-1-5-21-xxxxx....

    can I use adsiedit - does any know the query to lookup SID's ?

    Saturday, September 19, 2009 11:46 AM

Answers

  • you can locate the object by running (adfind is available from joeware.net):
    adfind -gc -f "(objectSID=s-1-5-21-xxxxx....)"
    and then use
    repadmin /showmeta distinguished_name
    to display its metadata - including the creation date and originating DC

    hth
    Marcin
    • Edited by Marcin PolichtMVP Saturday, September 19, 2009 1:44 PM
    • Marked as answer by Arkturas Saturday, September 19, 2009 11:40 PM
    Saturday, September 19, 2009 12:02 PM
  • in addition to Marcins suggestion you can also see use a tiny tool called SID2Username Which can be downloaded from here http://blogs.sepago.de/tools/2009/03/11/sid2username/

    in conjunction with the the link provided you might have to see this link aswell http://support.microsoft.com/kb/243330


    Thanks

    http://technetfaqs.wordpress.com
    • Marked as answer by Arkturas Saturday, September 19, 2009 11:40 PM
    Saturday, September 19, 2009 12:08 PM
  • adprep /rodcprep does not introduce any new attributes - it is used to update permissions on application partitions. For the list of updates, refer to http://technet.microsoft.com/en-us/library/cc731405(WS.10).aspx

    hth
    Marcin

    • Marked as answer by Arkturas Saturday, September 19, 2009 11:39 PM
    Saturday, September 19, 2009 3:23 PM
  • This is the SID assigned to the Enterprise Read-Only Controllers Group...
    The corresponding object is created automatically when you transfer the PDC Emulator to your Windows Server 2008-based DC (which apparently you haven't done)...

    hth
    Marcin

    • Marked as answer by Arkturas Saturday, September 19, 2009 11:39 PM
    Saturday, September 19, 2009 4:52 PM
  • last three characters - it's always the SID of the forest root domain with the 498 RID appended to it...

    hth
    Marcin
    • Marked as answer by Arkturas Saturday, September 19, 2009 11:49 PM
    Saturday, September 19, 2009 11:46 PM
  • Ok thanks Marcin,

    I ran both AD find & SID2Username - they cant find the object, which is very strange.
    adfind -gc -f "(objectSID=S-1-5-21-2543690362-3417689752-4057966709-498)"

    The Account has the following permissions under users & computers \Domain.com

    General Permissions:
    Read Domain Password & Lockout Policies
    Read Other Domain Parameters (for use by SAM)
    Read RTCUserSearchPropertySet

    SPECIAL Permissions:
    Not Inherited: Applied to this object ONLY: Domain
    List Contents
    Read All Properties

    • Marked as answer by Arkturas Saturday, September 19, 2009 11:39 PM
    Saturday, September 19, 2009 3:50 PM

All replies

  • you can locate the object by running (adfind is available from joeware.net):
    adfind -gc -f "(objectSID=s-1-5-21-xxxxx....)"
    and then use
    repadmin /showmeta distinguished_name
    to display its metadata - including the creation date and originating DC

    hth
    Marcin
    • Edited by Marcin PolichtMVP Saturday, September 19, 2009 1:44 PM
    • Marked as answer by Arkturas Saturday, September 19, 2009 11:40 PM
    Saturday, September 19, 2009 12:02 PM
  • in addition to Marcins suggestion you can also see use a tiny tool called SID2Username Which can be downloaded from here http://blogs.sepago.de/tools/2009/03/11/sid2username/

    in conjunction with the the link provided you might have to see this link aswell http://support.microsoft.com/kb/243330


    Thanks

    http://technetfaqs.wordpress.com
    • Marked as answer by Arkturas Saturday, September 19, 2009 11:40 PM
    Saturday, September 19, 2009 12:08 PM
  • They are unknown accounts. When you delete an account, the permissions are not removed automatically, you have to remove them by hand. You will need to look in a umber of places to see where it was done

    A tool that can help is SUBINACL.exe... dont remember the option, but it has one to look for UNKNOWN ACCOUNTS specifications....
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/980b9845-9235-4f71-8d25-2beb20cdfed2

    PSGETSID would allow you to run a query on the SID
    http://www.microsoft.com/technet/sysinternals/utilities/pstools.mspx

    Before deleting any SID, cross check the SID mentioned in the below article...
    Well-known security identifiers in Windows operating systems
    http://support.microsoft.com/kb/243330

    Saturday, September 19, 2009 1:16 PM
  •  

    Thanks, I have slight suspicion that the Unknown SID is also related to the RODC attributes.
    I had a look at a copy of the 2003 DC before implementing AD 2008, and this unknown SID account was not visible so its definitely been created after AD 2008 install.
    The “unknown account” account has High-Level read only permissions to the AD forest.

    Diagnosing other issues using DCDIAG revealed the following error:

     Starting test: NCSecDesc
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=ForestDnsZones,DC=mydomain,DC=com
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=DomainDnsZones,DC=mydomain,DC=com
        ......................... TLDC2 failed test NCSecDesc


    I think the two points are related, not all the RODC attributes have been created (I did not run ADPREP /RODC PREP as I had no plans to use RODC’s)

    see this linK: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/497a0713-6938-473d-8e6b-c041673304f9

     


    Saturday, September 19, 2009 2:45 PM
  • adprep /rodcprep does not introduce any new attributes - it is used to update permissions on application partitions. For the list of updates, refer to http://technet.microsoft.com/en-us/library/cc731405(WS.10).aspx

    hth
    Marcin

    • Marked as answer by Arkturas Saturday, September 19, 2009 11:39 PM
    Saturday, September 19, 2009 3:23 PM
  • Ok thanks Marcin,

    I ran both AD find & SID2Username - they cant find the object, which is very strange.
    adfind -gc -f "(objectSID=S-1-5-21-2543690362-3417689752-4057966709-498)"

    The Account has the following permissions under users & computers \Domain.com

    General Permissions:
    Read Domain Password & Lockout Policies
    Read Other Domain Parameters (for use by SAM)
    Read RTCUserSearchPropertySet

    SPECIAL Permissions:
    Not Inherited: Applied to this object ONLY: Domain
    List Contents
    Read All Properties

    • Marked as answer by Arkturas Saturday, September 19, 2009 11:39 PM
    Saturday, September 19, 2009 3:50 PM
  • This is the SID assigned to the Enterprise Read-Only Controllers Group...
    The corresponding object is created automatically when you transfer the PDC Emulator to your Windows Server 2008-based DC (which apparently you haven't done)...

    hth
    Marcin

    • Marked as answer by Arkturas Saturday, September 19, 2009 11:39 PM
    Saturday, September 19, 2009 4:52 PM
  • Will transfer the roles first thing in the morning, Thanks for the help.
    how did you identify that this SID, was for the Enterprise Read-Only Controllers Group ?

    Saturday, September 19, 2009 11:39 PM
  • last three characters - it's always the SID of the forest root domain with the 498 RID appended to it...

    hth
    Marcin
    • Marked as answer by Arkturas Saturday, September 19, 2009 11:49 PM
    Saturday, September 19, 2009 11:46 PM
  • Just wanted to say, your answer was spot-on as soon as I transferred the PDC role to the 2008 R2 DC, the SID resolved itself to "Enterprise Read-only Domain Controllers"

    Thanks
    Marcin

    Sunday, September 20, 2009 7:59 PM