OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: j.mickertsgmx.net
Date: Sat Sep 29 2001 - 11:10:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    it depends. Typically these can be removed safely for NT/2k does not find
    a reference entry in the Domains SAM or AD to translate this to a readable
    name, so it is an indication that the account/group the SID refers to has
    been deleted. But this might appear on Domain Controllers that are out of
    Sync and then removing the entry will cause problems as soon as the
    synchronisation will work again. So if you are sure that the DC is in Sync
    it should be safe to remove the entry. You can check the Sync-process in
    the Event log.

    Kind regards,

    Jens Mickerts

    Jeff.Wichmanjunebox.com
    28.09.2001 18:33

     
            An: focus-mssecurityfocus.com
            Kopie:
            Thema: Remaining SID's left behind after account deletion

    Not sure if I am correct in my assumptions but I would like to find out
    from
    the community before I break something. 8)

    In the Domain Security Policy Settings I have some SIDs remaining that are
    in their binary form (S-I-1-3-4-####...) I believe these were left behind
    >from an account being deleted from the domain but I am not positive. Is
    it
    safe to delete these SID's? I have looked through the TechNet site and
    found noting much in the way of help. These SID's appear under the "act
    as
    part of operating system, Log on locally, Log on a batch job" and some
    other
    settings and this is the reason for my concern before I go and delete
    them.

    I found these because event viewer is giving these errors:

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1000
    Date: 9/28/2001
    Time: 11:29:01 AM
    User: NT AUTHORITY\SYSTEM
    Computer: ServerName
    Description:
    The Group Policy client-side extension Security was passed flags (17) and
    returned a failure status code of (1332).

    Event Type: Warning
    Event Source: SceCli
    Event Category: None
    Event ID: 1202
    Date: 9/28/2001
    Time: 11:29:01 AM
    User: N/A
    Computer: ServerName
    Description:
    Security policies are propagated with warning. 0x534 : No mapping between
    account names and security IDs was done.
    Please look for more details in TroubleShooting section in Security Help.

    Any help would be greatly appreciated.

    Thanks in advance.

    Jeff