Microsoft KB Archive/827016

= Local Service and other well-known security principals do not appear on your Windows Server 2003 domain controller =

Article ID: 827016

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-





SYMPTOMS
After you run the dcpromo.exe command on a Microsoft Windows Server 2003 computer to promote the server to a domain controller, the Local Service and other well-known security principals that are introduced with Windows Server 2003 do not appear. You cannot resolve the well-known security principals when you try to add the well-known accounts by using NTFS file system permissions on a file or a folder. Additionally, you cannot resolve the well-known security principals when you use the ADSI Edit tool, the Group Policy Object Editor snap-in (Gpedit.msc), or Registry Editor. Also, if you use the ADSI Edit tool or the LDP tool (Ldp.exe), the well-known accounts do not appear in the following container:

CN=WellKnown Security Principals,CN=Configuration,DC= 



CAUSE
This behavior occurs when the forest root domain controller that holds the primary domain controller (PDC) emulator operations master role is running Microsoft Windows 2000 Server. If the forest root PDC emulator operations master is running Windows 2000, the CN=WellKnown Security Principals,CN=Configuration,DC=  container is not updated with the well-known security principals that are introduced in Windows Server 2003. Therefore, the Object Picker cannot find and resolve the corresponding names. The Object Picker queries the WellKnown Security Principals container to find the list of well-known security principals.



RESOLUTION
To resolve this behavior, upgrade the forest root PDC emulator operations master role holder to Windows Server 2003. 

WORKAROUND
To work around this behavior, you can script the maintenance of the Windows Server 2003 well-known security principals by using the Subinacl.exe tool. For example, to grant Read permissions to a registry key for the Local Service account, type the following command:

subinacl /keyreg  /grant=&quot;local service&quot;=r

Note The Subinacl.exe tool is included in the Windows 2000 Resource Kit.



MORE INFORMATION
You may experience the behavior that is described in the &quot;Symptoms&quot; section with one or more of the following well-known security principals that are introduced in Windows Server 2003:
 * Digest Authentication
 * Local Service
 * Network Service
 * NTLM Authentication
 * Other Organization
 * Remote Interactive Logon
 * SChannel Authentication
 * This Organization

