Windows Server

Dhow · Guest

I have an 'Account Unknown' with this name: *S-1-5-32-547
I don't know whose this user belong to, because I've checked in Active
Directory Users and Computers but there is no such account.
Yet I found it beeing recorded (and given access) in these Default Domain
Controller Security Settings Properties (in User Rights Assignment):
- Access this computer from the network
- Allow log on locally
- Bypass traverse checking
- Change the system time
- Profile single process
- Remove computer from docking station
- Shut down the system

I'm very affraid if this user is somekind of account made by hackers, in
order for them to use it to get into the domain controller... Please help me
identify this situation.

Can anyone tell me more about the diffrence between Default Domain
Controller Settings & Default Domain Settings?
If I wish to make certain user accounts at some workstations computers, not
to be able to logon to server locally, where should define this 'Allow log on
locally setting' at: Default Domain Controller Settings or Default Domain
Settings?

Thanks alot!

Chris · Guest

What you have found is and orphaned user. This was a user created on the
machine and then the workstation was disjoined from domain or the
computername changed. You can safely delete this user. There is no concern
for alarm.

"Dhow" <Dhow@discussions.microsoft.com> wrote in message
news:52550CEC-9B48-4DB3-BABD-840B97688508@microsoft.com...

Jenny wu [MSFT] · Guest

Hi,

Thanks for posting here! Many thanks for Chris's input.

The user account like *S-1-5-32-547 is user SID, the reason that here shows
user SID rather than user account display name is ether it is not domain
valid user account or FSMO can not resolve it. There are many factors can
lead to the issue, for example: we restored server from one computer to
another, it is possible that user account can not matches between old
server and new server. And the older user account was not deleted, so the
user SID can be showed there.

If your DC works fine, you can safely delete the user account and add
appropriate user account to the group policy list.

To your second question:

There is an order to apply group policies when domain users and computers
logon to domain. Group Policy settings are processed in the following
order:

1. Local Group Policy object--Each computer has exactly one Group Policy
object that is stored locally.

2. Site--Any Group Policy objects that have been linked to the site are
processed next. Processing is synchronous and in an order that is specified
by the administrator.

3. Domain--Processing of multiple domain-linked Group Policy objects is
synchronous and in an order specified by the administrator.

4. Organizational units--Group Policy objects that are linked to the
organizational unit that is highest in the Active Directory hierarchy are
processed first, then Group Policy objects that are linked to its child
organizational unit, and so on. Finally, the Group Policy objects that are
linked to the organizational unit that contains the user or computer are
processed.

At the level of each organizational unit in the Active Directory hierarchy,
one, many, or no Group Policy objects can be linked. If several Group
Policy objects are linked to an organizational unit, their processing is
synchronous and in an order that is specified by the administrator.

This order means that the local Group Policy object is processed first, and
Group Policy objects that are linked to the organizational unit of which
the computer or user is a direct member are processed last, which
overwrites the earlier Group Policy objects.

And the Default Domain Controller Policy Settings is applied to OU (the
domain controller - the SBS server box) and the Default Domain Policy
Settings is applied to Domain. So the Default Domain Controller Policy
Settings will take effect eventually and by default it will override
settings of the Default Domain Policy settings if there is conflict.

For you want to control users logon the server locally, you need configure
settings of the Default Domain Controller Policy. You can refer to the
following steps to add user accounts who you want to logon the server
locally to the list of "Allow logon locally" policy:

1. Locate the Default Domain Controllers and right click it to choose Edit
to open Group Policy Object Editor.
2. Expand Computer configuration, Windows Settings, Security Settings,
Local Policies, User right assignment.
3. Find the "Allow logon locally" and double click it to open configuration
page and add user accounts here.
4. And then run command line "gpupdate"(no quotation marks) on the server
box to update the group policy.
5. Logoff users from client workstations and then re-logon and run command
"Gpupdate /force" (no quotation marks) to refresh the group policy.

For more detail information to group policy, you can take look at the
following articles. Hope it useful to you!
Order of processing settings
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx

Order of events when starting up and logging on
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx

Articles for Group Policy:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/6eed436f-5b05-4eaa-9525-c0c429fcf9f6.mspx

Group Policy Overview:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/6eed436f-5b05-4eaa-9525-c0c429fcf9f6.mspx

Create or delete a Group Policy object
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/4f8dd800-e0e3-44a6-8a4a-d3d34b245fe7.mspx

Troubleshooting Group Policy application problems
http://support.microsoft.com/kb/250842/EN-US/

Group Policy Template Behavior in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;316977

I hope above information is useful to you! I am happy to be assistance of
you and look forward to your reply!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Dhow · Guest

To Jenny Wu,

Thank so much for your (& Chris too) assistance.

About diffrence between Default Domain Controller Settings & Default Domain
Settings is that the Win SBS 2003 Default Domain Controller Settings will
overide and be loaded after the Default Domain Settings, thus it'll make most
changes even there are conflict with Default Domain Settings... is this
correct?

How about if I change the "Allow logon locally" value at Default Domain
Settings instead, and leave the value at Default Domain Settings "Not
defined"? Will the result that the "Allow logon locally" value will become
"Not defined" because the Default Domain Controller Settings overide it?

Could you pease help me to solve the situation about WindowsSharePoint 2.0
(EventID:1000) I also have: it always make report that "#50070: Unable to
connect to database STS_Config on <ServerName>\SharePoint."
What went wrong there?

Thank you for your information & help.

Jenny wu [MSFT] · Guest

Hi,

Thanks for your update! I am glad to know that information helpful to you.

The Default Domain Controller Policy Settings is applied to OU: the SBS
server box, this means that the policy take effects to the only one
computer. However the Default Domain Policy Settings is applied to Domain,
this means that the policy takes effects to all objects in the domain (user
accounts, computers, OUs and sites). Surely that includes the domain
controller. When the both group policies are all configured one policy
setting (such as: Allow logon locally) to one object, the Default Domain
Controller policy will override the Default Domain policy. If not, the
setting will not be overridden. In another way, the DC computer only be
controlled by the Default Domain Controller policy, and other objects of
the domain will be controlled by the Default Domain Policy.

So if you configured "Allow logon locally" setting of the Default Domain
Policy, only groups or users you added to allow logon list can logon
locally to domain computers. The user account doesn't list here will not
logon client computers locally.

If you want to control users logon to the server box, you need configure
the Default Domain Controller policy. And the setting of the Default Domain
policy will be configured if you want to control logon to other domain
computers.

To the Sharepoint question, I suggest you create a new thread for the issue
and I will continue work with you. Microsoft engineers can only focus on
one issue per thread. And this way can keep the thread clean and other
partners can either share their knowledge or learn from your interaction
with us. Thank you for your understanding.

I am happy to be assistance of you and look forward to work with you again!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

	Windows Server Forum Index -> Small Business Server 2003	All times are GMT
Page 1 of 1