Lookup of Permissions on ACLs Shows Only SIDs

When you try to view NTFS or share permissions on a Windows 2000 member server or a computer that runs Windows 2000 Professional or Windows XP, the Security Identifiers (SIDs) are displayed, but the account or group to which the SIDs correspond is not displayed.

Additionally, an error message similar to one of the following may be displayed in the Application Event log: -or-The Gpresult.exe command-line tool from the resource kit may show information similar to the following example: The 1789 error is listed for every global group in which the user is a member.

This behavior occurs because the computer to which the user is logging on does not have the "Access this Computer from the Network" permission at the validating domain controller. Computers that run Windows 2000 or Windows XP are members of the Authenticated Users group, and either that group or the Everyone group was removed from the list of groups that are granted the "Access this Computer from the Network" permission.

In an appropriate Group Policy Object at the Domain Controllers container (most likely the Default Domain Controllers Policy), ensure that the appropriate groups are listed in the "Access this Computer from the Network" permission. You can find this permission in the following folder: The following groups have the "Access this Computer from the Network" permission on domain controllers by default: NOTE: Include the Everyone group in the list of groups because certain operations involve accounts that may not have been authenticated to the domain yet. Examples of these operations include when a user changes an expired password at logon, or when a user in a trusting domain needs to anonymously enumerate users and groups to apply Access Control Lists (ACLs) in the trusting domain (for Microsoft Windows NT 4.0 or inter-forest trusts).