You are currently offline, waiting for your internet to reconnect

Lookup of Permissions on ACLs Shows Only SIDs

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q262958
SYMPTOMS
When you try to view NTFS or share permissions on a Windows 2000 member server or a computer that runs Windows 2000 Professional or Windows XP, the Security Identifiers (SIDs) are displayed, but the account or group to which the SIDs correspond is not displayed.

Additionally, an error message similar to one of the following may be displayed in the Application Event log:
Source: Userenv
Category: None
Type: Error
Event ID: 1000

Description: Windows cannot determine the user or computer name. Return value (5).
-or-
Source: Userenv
Category: None
Type: Error
Event ID: 1053
Description: Windows cannot determine the user or computer name. (Access is denied.). Group Policy processing aborted.
The Gpresult.exe command-line tool from the resource kit may show information similar to the following example:
The user is a member of the following security groups:LookupAccountSid failed with 1789.	\Everyone	BUILTIN\Users	BUILTIN\AdministratorsLookupAccountSid failed with 1789.LookupAccountSid failed with 1789.LookupAccountSid failed with 1789.	\LOCAL	NT AUTHORITY\INTERACTIVE	NT AUTHORITY\Authenticated Users				
The 1789 error is listed for every global group in which the user is a member.
CAUSE
This behavior occurs because the computer to which the user is logging on does not have the "Access this Computer from the Network" permission at the validating domain controller. Computers that run Windows 2000 or Windows XP are members of the Authenticated Users group, and either that group or the Everyone group was removed from the list of groups that are granted the "Access this Computer from the Network" permission.
RESOLUTION
In an appropriate Group Policy Object at the Domain Controllers container (most likely the Default Domain Controllers Policy), ensure that the appropriate groups are listed in the "Access this Computer from the Network" permission. You can find this permission in the following folder:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
The following groups have the "Access this Computer from the Network" permission on domain controllers by default:
Administrators
Authenticated Users
Everyone
NOTE: Include the Everyone group in the list of groups because certain operations involve accounts that may not have been authenticated to the domain yet. Examples of these operations include when a user changes an expired password at logon, or when a user in a trusting domain needs to anonymously enumerate users and groups to apply Access Control Lists (ACLs) in the trusting domain (for Microsoft Windows NT 4.0 or inter-forest trusts).
resolve fail missing name icon gpresult security dialog
Properties

Article ID: 262958 - Last Review: 05/29/2007 23:12:32 - Revision: 3.4

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
  • kbenv kberrmsg kbprb KB262958
Feedback