Microsoft KB Archive/316827

= The SID of a user account that was deleted appears in the Local Security Policy snap-in after you use the LsaRemoveAccountRights function to remove user rights in Windows 2000 =

Article ID: 316827

Article Last Modified on 3/22/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q316827





SYMPTOMS
After you run a program that removes user rights and then deletes the user account, the security identifier (SID) of the user still appears in the Local Security Policy snap-in. The SID of the user account that was deleted is visible when you expand Local Policies and then click User Rights Assignment. You may experience this symptom after you use the LsaRemoveAccountRights function to programmatically remove the user rights.



CAUSE
This problem occurs if the mapping information for the user rights that is stored in the Local Security Policy snap-in database is not removed for the user account that you deleted. In Microsoft Windows 2000, a background notification occurs for policy changes. The background notification includes information about user rights that are changed and user accounts that are deleted. When you change user rights, Windows 2000 loads Group Policy settings and queries the Local Security Authority (LSA) to obtain the new user rights assignments. Windows 2000 then compares Group Policy settings and the LSA to determine the differences between them and makes the appropriate changes. The changes are saved back to the appropriate Group Policy object (GPO).

As part of the notification process, Windows 2000 performs a lookup of the user account for validation and for logging purposes. If the user account is deleted before this process occurs, Windows 2000 cannot resolve the SID and the notification component quits. Therefore, Windows 2000 does not remove the user rights that are assigned to the user account from the GPO. During the next policy propagation, Windows 2000 reloads the user rights that were removed on the local computer. The user rights that were assigned to the user account are not removed from the Local Security Policy snap-in.



RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack



WORKAROUND
If there is a sufficient delay between the time when the user rights are removed and the time when the user account is deleted, the notification component has time to finish the lookup of the user account. If you include a sufficient delay before you delete the user account, you do not experience the problem that is described in the &quot;Symptoms&quot; section of this article. For example, you can use the Sleep(1000) function between the call to the LsaRemoveAccountRights function and the call to the NetUserDel function that is used to delete the user account.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section of this article. This problem was corrected in Windows 2000 Service Pack 3 (SP3).



MORE INFORMATION
For more information about the LsaRemoveAccountRights function, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms721809.aspx

Additional query words: user privileges

Keywords: kbbug kbfix kbqfe kbwin2000sp3fix kbsecurity kbhotfixserver KB316827

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.