This article was previously published under Q262958
This article has been archived. It is offered "as is" and will no longer be updated.
When you try to view NTFS or share permissions on a Windows 2000 member server or a computer that runs Windows 2000 Professional or Windows XP, the Security Identifiers (SIDs) are displayed, but the account or group to which the SIDs correspond is not displayed.
Additionally, an error message similar to one of the following may be displayed in the Application Event log:
Description: Windows cannot determine the user or computer name. Return value (5).
Source: Userenv Category: None Type: Error Event ID: 1053 Description: Windows cannot determine the user or computer name. (Access is denied.). Group Policy processing aborted.
The Gpresult.exe command-line tool from the resource kit may show information similar to the following example:
The user is a member of the following security groups:LookupAccountSid failed with 1789. \Everyone BUILTIN\Users BUILTIN\AdministratorsLookupAccountSid failed with 1789.LookupAccountSid failed with 1789.LookupAccountSid failed with 1789. \LOCAL NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users
The 1789 error is listed for every global group in which the user is a member.
This behavior occurs because the computer to which the user is logging on does not have the "Access this Computer from the Network" permission at the validating domain controller. Computers that run Windows 2000 or Windows XP are members of the Authenticated Users group, and either that group or the Everyone group was removed from the list of groups that are granted the "Access this Computer from the Network" permission.
In an appropriate Group Policy Object at the Domain Controllers container (most likely the Default Domain Controllers Policy), ensure that the appropriate groups are listed in the "Access this Computer from the Network" permission. You can find this permission in the following folder:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
The following groups have the "Access this Computer from the Network" permission on domain controllers by default:
Administrators Authenticated Users Everyone
NOTE: Include the Everyone group in the list of groups because certain operations involve accounts that may not have been authenticated to the domain yet. Examples of these operations include when a user changes an expired password at logon, or when a user in a trusting domain needs to anonymously enumerate users and groups to apply Access Control Lists (ACLs) in the trusting domain (for Microsoft Windows NT 4.0 or inter-forest trusts).
resolve fail missing name icon gpresult security dialog