locked
Unknown User Account RRS feed

  • Question

  •  After deleted the user account example user1and this user1 is assign permission to few share folder . we browse to the share folder and now we have this unknown account . Beside Manualy deleted any other solution or hotfix to solve this issued

     

    account unknown (s-1-5-21-959507258-273434153-1118873519-1221)

     

    Any hotfix can resolved this issued ? Pls Help

    Tuesday, July 3, 2007 3:47 PM

Answers

  • That's because the SID is saved but cannot be resolved to an account, hence the "account unknown".

     

    At the moment it's manually delete Smile

    Tuesday, July 3, 2007 7:52 PM
  • when a user or group is removed from AD or the SAM, it does NOT automatically remove the ACE from the ACLs that list the SID of the user or group. To remove those you need to additionally cleanup manually....

     

    A tool that can help is SUBINACL... dont remember the option, but it has one to look for UNKNOWN ACCOUNTS specifications....

     

    before removing the ACE make sure the account does not exist in AD by querying AD for the SID and see if it resolves to a username. This is a safe measure!

    Wednesday, July 4, 2007 10:07 PM
  • basically, if you cannot resolve the account automatically AND manually using some tool, you can delete the entry

     

    However, before removing, provide us with the SID that is shown in the list. I just want to see if it is a known account or something you configured.

     

    Wednesday, September 12, 2007 4:15 PM
  •  

    that's what I thought....

     

     as mentioned in http://support.microsoft.com/kb/243330

     

    SID: S-1-5-domain-512
    Name: Domain Admins
    Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

     

    so, DO NOT REMOVE that entry...

     

    please explain the following in more detail. also check the event logs for event IDs with errors

    ------

    Another wrinkle in the picture (and may ultimately resolve where this SID came from) is this Domain Controller is having a Kerberos issue in that it will not resolve to the time provide designated for our domain.  When we try to have it sync up with the time provider in the domain it fails and it fails when we try to get it to sync up with a Microsoft time server.

    ------

     

    Wednesday, September 12, 2007 5:34 PM

All replies

  • That's because the SID is saved but cannot be resolved to an account, hence the "account unknown".

     

    At the moment it's manually delete Smile

    Tuesday, July 3, 2007 7:52 PM
  • You may want to give it try using Xcacls.exe/Xcacls.vbs command line utilities available part of resource kit.
    http://tech.cuip.net/logins/docs/Xacls-overview.htm

     

    Wednesday, July 4, 2007 10:54 AM
  • when a user or group is removed from AD or the SAM, it does NOT automatically remove the ACE from the ACLs that list the SID of the user or group. To remove those you need to additionally cleanup manually....

     

    A tool that can help is SUBINACL... dont remember the option, but it has one to look for UNKNOWN ACCOUNTS specifications....

     

    before removing the ACE make sure the account does not exist in AD by querying AD for the SID and see if it resolves to a username. This is a safe measure!

    Wednesday, July 4, 2007 10:07 PM
  • I have an Account Unknown listed on the security tab for one of my Domain Controllers NTDS Settings in AD Sites and Services.

     

    When I run the script from http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1203.mspx

    to identify what the SID may have been associated with nothing is reported.  Is there any other method for validating whether the SID is still associated with a live account or can I safely remove this Account Unknown from the settings?

    Wednesday, September 12, 2007 3:51 PM
  • basically, if you cannot resolve the account automatically AND manually using some tool, you can delete the entry

     

    However, before removing, provide us with the SID that is shown in the list. I just want to see if it is a known account or something you configured.

     

    Wednesday, September 12, 2007 4:15 PM
  • Here is the SID that is listed from the NTDS settings.

     

    Account Unknown(S-1-5-21-795153822-3930461483-4049951649-512)

     

    Another wrinkle in the picture (and may ultimately resolve where this SID came from) is this Domain Controller is having a Kerberos issue in that it will not resolve to the time provide designated for our domain.  When we try to have it sync up with the time provider in the domain it fails and it fails when we try to get it to sync up with a Microsoft time server.

     

    Could this unknown SID somehow be causing the DC to not be able to correctly sync up with the time server? (meaning this particular account is what is being checked first for authentication and since it isn't recognized the time sync isn't being allowed?)

     

    Thanks for the follow up.

     

    Wednesday, September 12, 2007 5:07 PM
  •  

    that's what I thought....

     

     as mentioned in http://support.microsoft.com/kb/243330

     

    SID: S-1-5-domain-512
    Name: Domain Admins
    Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

     

    so, DO NOT REMOVE that entry...

     

    please explain the following in more detail. also check the event logs for event IDs with errors

    ------

    Another wrinkle in the picture (and may ultimately resolve where this SID came from) is this Domain Controller is having a Kerberos issue in that it will not resolve to the time provide designated for our domain.  When we try to have it sync up with the time provider in the domain it fails and it fails when we try to get it to sync up with a Microsoft time server.

    ------

     

    Wednesday, September 12, 2007 5:34 PM
  • Thanks for the link about SID categorization.  Very handy.

     

    As for the error...here it is:

     

    A Kerberos Error Message was received:

    on logon session

    Client Time:

    Server Time: 19:22:20.0000 9/12/2007 Z

    Error Code: 0xd KDC_ERR_BADOPTION

    Extended Error: 0xc00000bb KLIN(0)

    Client Realm:

    Client Name:

    Server Realm: A*****.COM

    Server Name: host/****.a*****.com

    Target Name: host/i****c.a*****.com@A*****.COM

    Error Text:

    File: 9

    Line: ae0

    Error Data is in record data.

     

    We have had this even showing up in the logs for some time now.  We think that it has to do with time syncronization with the domain provider due to the error code and the extended error code.

     

    When we force the DC to resync with the time provider for the domain the Kerberos event shows up in the log and we get the error at the command line:  The computer did not resync because not time data was available.

     

    However when we use the w32tm command to force any other computer to resync it is successful.

     

    Sorry for turning this thread into something more than Account Unknown, but any help in resolving this would be much appreciated.

    Wednesday, September 12, 2007 9:08 PM
  • Try Winzero RemoveUnknown It will report and remove unknown accounts SIDs from shares and folders.

    It can also report and resolve domain or server SIDs in a GUI

     

    http://www.winzero.ca/RemoveUnknown.htm

     

     

     

    Wednesday, November 14, 2007 8:09 PM
  • Thanks for the link.  I'll have to keep that program in mind.

    Monday, November 19, 2007 1:44 PM
  • Hi guys

    holy old thread,

    I have a different issue, I don't want to get rid of the account unknown, I would like to restore it.

    more info:the accounts in question are local administrator accounts on a domain, their "my documents" folders still exist, I can log in as the domain admin, and I would like to know a safe way to create or restore the accounts to their regular states without deleting their information and settings or messing up the server in anyway


    thanks in advance

    Thursday, July 31, 2008 6:05 AM

  • You can use subinacl.exe to delete the unknown SID

    /CLEANDELETEDSIDSFROM
    ---------------------
    /cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all]
        delete all ACEs containing deleted (no valid) Sids from DomainName
        You can specify which part of the security descriptor will be scanned
        (default=all)
        If the owner is deleted, new owner will be the Administrators group.
        If the primary group is deleted, new primary group will be the Users group.
     
    for example,

    subinacl.exe /outputlog=log.txt /errorlog=errlog.txt /subdirectories C:\DIRECTORYPATH\*.* /cleandeletedsidsfrom=DOMAINNAME

    Tuesday, June 21, 2011 2:52 AM