Local Service and other well-known security principals do not appear on your Windows Server 2003 domain controller (827016)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition

SYMPTOMS

After you run the dcpromo.exe command on a Microsoft Windows Server 2003 computer to promote the server to a domain controller, the Local Service and other well-known security principals that are introduced with Windows Server 2003 do not appear. You cannot resolve the well-known security principals when you try to add the well-known accounts by using NTFS file system permissions on a file or a folder. Additionally, you cannot resolve the well-known security principals when you use the ADSI Edit tool, the Group Policy Object Editor snap-in (Gpedit.msc), or Registry Editor. Also, if you use the ADSI Edit tool or the LDP tool (Ldp.exe), the well-known accounts do not appear in the following container:

CN=WellKnown Security Principals,CN=Configuration,DC=YourDomain

CAUSE

This behavior occurs when the forest root domain controller that holds the primary domain controller (PDC) emulator operations master role is running Microsoft Windows 2000 Server. If the forest root PDC emulator operations master is running Windows 2000, the CN=WellKnown Security Principals,CN=Configuration,DC=YourDomain container is not updated with the well-known security principals that are introduced in Windows Server 2003. Therefore, the Object Picker cannot find and resolve the corresponding names. The Object Picker queries the WellKnown Security Principals container to find the list of well-known security principals.

RESOLUTION

To resolve this behavior, upgrade the forest root PDC emulator operations master role holder to Windows Server 2003.

WORKAROUND

To work around this behavior, you can script the maintenance of the Windows Server 2003 well-known security principals by using the Subinacl.exe tool. For example, to grant Read permissions to a registry key for the Local Service account, type the following command:

subinacl /keyreg RegKey /grant="local service"=r

Note The Subinacl.exe tool is included in the Windows 2000 Resource Kit.

MORE INFORMATION

You may experience the behavior that is described in the "Symptoms" section with one or more of the following well-known security principals that are introduced in Windows Server 2003:
  • Digest Authentication
  • Local Service
  • Network Service
  • NTLM Authentication
  • Other Organization
  • Remote Interactive Logon
  • SChannel Authentication
  • This Organization

REFERENCES

For additional information about how to determine what domain controller holds the PDC emulator FSMO role, click the following article number to view the article in the Microsoft Knowledge Base:

234790 How to find servers that hold Flexible Single Master Operations roles

For additional information about FSMO roles, click the following article number to view the article in the Microsoft Knowledge Base:

197132 Windows 2000 Active Directory FSMO roles

For additional information about how to upgrade a Windows 2000 domain controller, click the following article number to view the article in the Microsoft Knowledge Base:

325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003

Modification Type:MajorLast Reviewed:1/27/2005
Keywords:kbprb KB827016 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.