Article ID: 316827 - View products that this article applies to.
This article was previously published under Q316827
After you run a program that removes user rights and then deletes the user account, the security identifier (SID) of the user still appears in the Local Security Policy snap-in. The SID of the user account that was deleted is visible when you expand Local Policies and then click User Rights Assignment. You may experience this symptom after you use the LsaRemoveAccountRights function to programmatically remove the user rights.
This problem occurs if the mapping information for the user rights that is stored in the Local Security Policy snap-in database is not removed for the user account that you deleted. In Microsoft Windows 2000, a background notification occurs for policy changes. The background notification includes information about user rights that are changed and user accounts that are deleted. When you change user rights, Windows 2000 loads Group Policy settings and queries the Local Security Authority (LSA) to obtain the new user rights assignments. Windows 2000 then compares Group Policy settings and the LSA to determine the differences between them and makes the appropriate changes. The changes are saved back to the appropriate Group Policy object (GPO).
As part of the notification process, Windows 2000 performs a lookup of the user account for validation and for logging purposes. If the user account is deleted before this process occurs, Windows 2000 cannot resolve the SID and the notification component quits. Therefore, Windows 2000 does not remove the user rights that are assigned to the user account from the GPO. During the next policy propagation, Windows 2000 reloads the user rights that were removed on the local computer. The user rights that were assigned to the user account are not removed from the Local Security Policy snap-in.
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/260910/ )How to obtain the latest Windows 2000 service pack
If there is a sufficient delay between the time when the user rights are removed and the time when the user account is deleted, the notification component has time to finish the lookup of the user account. If you include a sufficient delay before you delete the user account, you do not experience the problem that is described in the "Symptoms" section of this article. For example, you can use the Sleep(1000) function between the call to the LsaRemoveAccountRights function and the call to the NetUserDel function that is used to delete the user account.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article. This problem was corrected in Windows 2000 Service Pack 3 (SP3).
For more information about the LsaRemoveAccountRights function, visit the following Microsoft Web site:
Article ID: 316827 - Last Review: March 22, 2007 - Revision: 1.5