Article ID: 948502 - Last Review: October 24, 2008 - Revision: 1.0

Error message when you try to store a security descriptor by using an administration tool or a script in Windows Server 2003: "The security ID structure is invalid Facility: Win32 ID no: 80070539"

View products that this article applies to.

On This Page

Expand all | Collapse all

SYMPTOMS

On a Windows Server 2003-based computer, you have an administration tool or a script that uses the Active Directory Service Interfaces (ADSI) IADs interface to manage security descriptors. You load a security descriptor for editing by using the administration tool or the script. When you try to store the security descriptor, you may receive an error message that resembles the following error message:

The security ID structure is invalid.
Facility: Win32
ID no: 80070539
This problem may occur even though you have hotfix 840885 installed.

Note This problem may also occur in Windows Vista and Windows Server 2008.
Back to the top

CAUSE

This problem may occur when the owner of the objects is in a domain other than the domain where the administration tool or the script is running. Also, the computer where the tool or script runs does not have the correct connectivity enabled with the domain where the owner account is defined.

In this situation, you can run a code path where the security descriptor can be loaded. However, this code path fails for owner user and owner group even if these entries were not changed.
Back to the top

WORKAROUND

To work around this problem, use one of the following methods.
Back to the top

Method 1

Open all required ports for the Local Security Authority (LSA) service according to Microsoft Knowledge Base article 832017.
832017  (http://support.microsoft.com/kb/832017/ ) Service overview and network port requirements for the Windows Server system
Back to the top

Method 2

Block all ports to the domain controllers of other domains.
Back to the top

Method 3

Manage the security descriptor by using another computer that has firewall rules that allow this operation against the remote domain controller to succeed.
Back to the top

Method 4

Change the owner of the objects to a user or group in the domain where the administration tool or the script is running.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Ultimate
Back to the top
Keywords: 
kbexpertiseadvanced kbprb KB948502
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations