Lookup of Permissions on ACLs Shows Only SIDs (262958)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
This article was previously published under Q262958

SYMPTOMS

When you try to view NTFS or share permissions on a Windows 2000 member server or a computer that runs Windows 2000 Professional or Windows XP, the Security Identifiers (SIDs) are displayed, but the account or group to which the SIDs correspond is not displayed.

Additionally, an error message similar to one of the following may be displayed in the Application Event log:
Source: Userenv
Category: None
Type: Error
Event ID: 1000

Description: Windows cannot determine the user or computer name. Return value (5).
-or-
Source: Userenv
Category: None
Type: Error
Event ID: 1053
Description: Windows cannot determine the user or computer name. (Access is denied.). Group Policy processing aborted.
The Gpresult.exe command-line tool from the resource kit may show information similar to the following example: 
The user is a member of the following security groups:

LookupAccountSid failed with 1789.
	\Everyone
	BUILTIN\Users
	BUILTIN\Administrators
LookupAccountSid failed with 1789.
LookupAccountSid failed with 1789.
LookupAccountSid failed with 1789.
	\LOCAL
	NT AUTHORITY\INTERACTIVE
	NT AUTHORITY\Authenticated Users
The 1789 error is listed for every global group in which the user is a member.

CAUSE

This behavior occurs because the computer to which the user is logging on does not have the "Access this Computer from the Network" permission at the validating domain controller. Computers that run Windows 2000 or Windows XP are members of the Authenticated Users group, and either that group or the Everyone group was removed from the list of groups that are granted the "Access this Computer from the Network" permission.

RESOLUTION

In an appropriate Group Policy Object at the Domain Controllers container (most likely the Default Domain Controllers Policy), ensure that the appropriate groups are listed in the "Access this Computer from the Network" permission. You can find this permission in the following folder:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

The following groups have the "Access this Computer from the Network" permission on domain controllers by default:

Administrators
Authenticated Users
Everyone

NOTE: Include the Everyone group in the list of groups because certain operations involve accounts that may not have been authenticated to the domain yet. Examples of these operations include when a user changes an expired password at logon, or when a user in a trusting domain needs to anonymously enumerate users and groups to apply Access Control Lists (ACLs) in the trusting domain (for Microsoft Windows NT 4.0 or inter-forest trusts).
Modification Type:MajorLast Reviewed:9/22/2003
Keywords:kbenv kberrmsg kbprb KB262958
©2003 Microsoft Corporation. All rights reserved.