Microsoft KB Archive/262958

= Lookup of Permissions on ACLs Shows Only SIDs =

Article ID: 262958

Article Last Modified on 5/29/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition

-



This article was previously published under Q262958



SYMPTOMS
When you try to view NTFS or share permissions on a Windows 2000 member server or a computer that runs Windows 2000 Professional or Windows XP, the Security Identifiers (SIDs) are displayed, but the account or group to which the SIDs correspond is not displayed.

Additionally, an error message similar to one of the following may be displayed in the Application Event log:

Source: Userenv

Category: None

Type: Error

Event ID: 1000

Description: Windows cannot determine the user or computer name. Return value (5).

-or-

Source: Userenv

Category: None

Type: Error

Event ID: 1053

Description: Windows cannot determine the user or computer name. (Access is denied.). Group Policy processing aborted.

The Gpresult.exe command-line tool from the resource kit may show information similar to the following example: The user is a member of the following security groups:

LookupAccountSid failed with 1789. \Everyone BUILTIN\Users BUILTIN\Administrators LookupAccountSid failed with 1789. LookupAccountSid failed with 1789. LookupAccountSid failed with 1789. \LOCAL NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users The 1789 error is listed for every global group in which the user is a member.



CAUSE
This behavior occurs because the computer to which the user is logging on does not have the &quot;Access this Computer from the Network&quot; permission at the validating domain controller. Computers that run Windows 2000 or Windows XP are members of the Authenticated Users group, and either that group or the Everyone group was removed from the list of groups that are granted the &quot;Access this Computer from the Network&quot; permission.



RESOLUTION
In an appropriate Group Policy Object at the Domain Controllers container (most likely the Default Domain Controllers Policy), ensure that the appropriate groups are listed in the &quot;Access this Computer from the Network&quot; permission. You can find this permission in the following folder:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

The following groups have the &quot;Access this Computer from the Network&quot; permission on domain controllers by default:

Administrators

Authenticated Users

Everyone

NOTE: Include the Everyone group in the list of groups because certain operations involve accounts that may not have been authenticated to the domain yet. Examples of these operations include when a user changes an expired password at logon, or when a user in a trusting domain needs to anonymously enumerate users and groups to apply Access Control Lists (ACLs) in the trusting domain (for Microsoft Windows NT 4.0 or inter-forest trusts).

Additional query words: resolve fail missing name icon gpresult security dialog

Keywords: kbenv kberrmsg kbprb KB262958

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.