The SID of a user account that was deleted appears in the Local Security Policy snap-in after you use the LsaRemoveAccountRights function to remove user rights in Windows 2000

Article translations Article translations
Article ID: 316827 - View products that this article applies to.
This article was previously published under Q316827
Expand all | Collapse all

SYMPTOMS

After you run a program that removes user rights and then deletes the user account, the security identifier (SID) of the user still appears in the Local Security Policy snap-in. The SID of the user account that was deleted is visible when you expand Local Policies and then click User Rights Assignment. You may experience this symptom after you use the LsaRemoveAccountRights function to programmatically remove the user rights.

CAUSE

This problem occurs if the mapping information for the user rights that is stored in the Local Security Policy snap-in database is not removed for the user account that you deleted. In Microsoft Windows 2000, a background notification occurs for policy changes. The background notification includes information about user rights that are changed and user accounts that are deleted. When you change user rights, Windows 2000 loads Group Policy settings and queries the Local Security Authority (LSA) to obtain the new user rights assignments. Windows 2000 then compares Group Policy settings and the LSA to determine the differences between them and makes the appropriate changes. The changes are saved back to the appropriate Group Policy object (GPO).

As part of the notification process, Windows 2000 performs a lookup of the user account for validation and for logging purposes. If the user account is deleted before this process occurs, Windows 2000 cannot resolve the SID and the notification component quits. Therefore, Windows 2000 does not remove the user rights that are assigned to the user account from the GPO. During the next policy propagation, Windows 2000 reloads the user rights that were removed on the local computer. The user rights that were assigned to the user account are not removed from the Local Security Policy snap-in.

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack

WORKAROUND

If there is a sufficient delay between the time when the user rights are removed and the time when the user account is deleted, the notification component has time to finish the lookup of the user account. If you include a sufficient delay before you delete the user account, you do not experience the problem that is described in the "Symptoms" section of this article. For example, you can use the Sleep(1000) function between the call to the LsaRemoveAccountRights function and the call to the NetUserDel function that is used to delete the user account.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article. This problem was corrected in Windows 2000 Service Pack 3 (SP3).

MORE INFORMATION

For more information about the LsaRemoveAccountRights function, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms721809.aspx

Properties

Article ID: 316827 - Last Review: March 22, 2007 - Revision: 1.5
APPLIES TO
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
Keywords: 
kbhotfixserver kbqfe kbbug kbfix kbsecurity kbwin2000sp3fix KB316827

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com