Windows 2000 group names not displaying in Windows 2008 R2 security window
I recently began experimenting with 2008 R2 on my domain. The 2008 R2 has been joined to the domain as a simple member server. The DCs and all of the other servers are 2000 SP4. Yes, really old I know. When I share a folder on the R2 machine and give permissions to existing domain groups, the group names do not always display (sometimes they do which is the most confusing part) in the security window. What is displayed is the long string representing the group or user within AD. The security is still there and being applied correctly in that the correct groups/users are allowed into the folder. If I try to re-add a group, the result is a message that the group is already there so it would seem it is the lookup into AD for the name that is the problem, not the application of the permissions. Any clues as to where to look for this? Kris
July 29th, 2010 10:27pm

Hello Kris, When a user or group is removed from AD or the SAM, it does not automatically remove the ACE from the ACLs that list the SID of the user or group. To remove those you need to additionally cleanup manually. I suggest you try to translate the SID by using the tool PsGetSID. If the tool does not translate SIDs to their display name, you could delete the entry from the ACL. PsGetSid http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx The following solution in the threads are for your reference: Active Directory Security Permissions (Account Unknown) http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/d3d6b211-7c31-4ebc-aff6-489d60fd9910 Unknown SID - How can I find out more info about when it was created etc.. http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/5190432e-72e2-4f4f-af5a-cae3f7273b23 Brent Hu, Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2010 5:29am

Thanks for the reply. I will check into the links you provided. I do want to mention that this is not being caused by the removal of groups. The groups in question were never deleted and are still in active use on my Win2k machines. The names are simply not showing up in the Win2k8R2 security window. The security group names DO show up correctly in the Win2k security window when viewing the share. Additionally, on the Win2k8R2 machine, I have one share where the names show up corretly, and one where they do not. I have not been able to determine the exact conditions or sequence of events that determine if the names will show or not yet. Kris
July 30th, 2010 5:21pm

We are also experiencing this issue which is specific to Windows 2008 R2 and Windows 7. Although we have multiple Windows 2003 domain controllers we do still have one Windows 2000 DC / GC on our AD. The issue doesn't always occur, but now that we know somebody else is seeing it and they also have Windows 2000, it is possible that it is only happening when our Windows 2000 DC / GC is queried. Unfortunately this problem manifested itself in other ways. For example, if you go to the local group Administrators you'll note that only the SID is displayed for the domain administrators, etc. As a result we have been unable to get RD RemoteApp to work as Windows 2008 R2 is not able to enumerate the groups / names. The problem does not occur with Windows 2008 (non R2) or previous versions of Windows. Has Microsoft tested Windows 2008 R2 with Windows 2000 DCs?
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2010 8:41pm

Hello, This is a known issue mentioned in the following KB: Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/976494 Brent Hu,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 5th, 2010 6:12am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics