Cannot Delete Cloned User Accounts that Include Security Identifier History from Local Groups (278693)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Professional SP1
This article was previously published under Q278693
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When you use a tool, such as, the Active Directory Migration Tool (ADMT), to migrate user accounts from a Microsoft Windows NT 4.0 domain to a Microsoft Windows 2000-based system, and then you add these users to a Local group, the accounts cannot be deleted. The following error message is displayed:
The following error occurred while attempting to save properties for group administrators on computer E7ap1.

The specified account Name is not a member of the local group.

RESOLUTION

Please see the resolution section of the following article in the Microsoft Knowledge Base:

266673 Membership From the Local Group Cannot Be Deleted for Migrated Users that Have an SID History Field

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To work around this behavior, you can use any of the following three methods to delete the users from the Local groups:
  1. Use the net command with the following syntax:

    net localgroup "localgroupname" "NT4Domain\Username" /delete
  2. Use the Usmgr.exe program for domains. To use this method, navigate to the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\Network\User Manager For Domains

    Enter the following values:

    Key Type = REG_SZ

    Key Name = AllowNT5Admin

    Value = 1
  3. Disconnect the computer from the network, and then go into Computer Management and delete the user account from the Local group.
Modification Type:MinorLast Reviewed:1/26/2006
Keywords:kbbug kbnofix KB278693
©2004 Microsoft Corporation. All rights reserved.