The SID of a user account that was deleted appears in the Local Security Policy snap-in after you use the LsaRemoveAccountRights function to remove user rights in Windows 2000 (316827)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
This article was previously published under Q316827 SYMPTOMSAfter you run a program that removes user rights and then deletes the user account, the security identifier (SID) of the user still appears in the Local Security Policy snap-in. The SID of the user account that was deleted is visible when you expand Local Policies and then click User Rights Assignment. You may experience this symptom after you use the LsaRemoveAccountRights function to programmatically remove the user rights.CAUSEThis problem occurs if the mapping information for the user rights that is stored in the Local Security Policy snap-in database is not removed for the user account that you deleted. In Microsoft Windows 2000, a background notification occurs for policy changes. The background notification includes information about user rights that are changed and user accounts that are deleted. When you change user rights, Windows 2000 loads Group Policy settings and queries the Local Security Authority (LSA) to obtain the new user rights assignments. Windows 2000 then compares Group Policy settings and the LSA to determine the differences between them and makes the appropriate changes. The changes are saved back to the appropriate Group Policy object (GPO).
As part of the notification process, Windows 2000 performs a lookup of the user account for validation and for logging purposes. If the user account is deleted before this process occurs, Windows 2000 cannot resolve the SID and the notification component quits. Therefore, Windows 2000 does not remove the user rights that are assigned to the user account from the GPO. During the next policy propagation, Windows 2000 reloads the user rights that were removed on the local computer. The user rights that were assigned to the user account are not removed from the Local Security Policy snap-in.RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
WORKAROUNDIf there is a sufficient delay between the time when the user rights are removed and the time when the user account is deleted, the notification component has time to finish the lookup of the user account. If you include a sufficient delay before you delete the user account, you do not experience the problem that is described in the "Symptoms" section of this article. For example, you can use the Sleep(1000) function between the call to the LsaRemoveAccountRights function and the call to the NetUserDel function that is used to delete the user account.STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article.
This problem was corrected in Windows 2000 Service Pack 3 (SP3).
| Modification Type: | Minor | Last Reviewed: | 9/30/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbbug kbfix kbSecurity kbWin2000sp3fix KB316827 kbAudITPRO |
|---|
|