You are currently offline, waiting for your internet to reconnect

The LsaLookupSids function may return the old user name instead of the new user name if the user name has changed

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

SYMPTOMS
Consider the following scenario:
  • On the domain member computer, an application calls the LsaLookupSids function to translate a security identifier (SID) to a user name.
  • The user name has been changed on a domain controller.
In this scenario, the LsaLookupSids function may return the old user name instead of the new user name. This behavior may prevent the application from working correctly.
CAUSE
The local security authority (LSA) caches the mapping between the SID and the user name in a local cache on the domain member computer. The cached user name is not synchronized with domain controllers. The LSA on the domain member computer first queries the local SID cache. If an existing mapping is already in the local SID cache, the LSA returns the cached user name information instead of querying the domain controllers. This behavior is intended to improve performance.

The cache entries do time out, however chances are that recurring queries by applications keep the existing cache entry alive for the maximum lifetime of the cache entry.
WORKAROUND
To work around this issue, disable the local SID cache on the domain member computer. To do this, follow these steps:
  1. Open Registry Editor.

    To do this in Windows XP or in Windows Server 2003, click Start, click Run, type regedit, and then click OK.

    To do this in Windows Vista and newer, Click Start, type regedit in the Start Search box, and then press ENTER.
  2. Locate and then right-click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Point to New, and then click DWORD Value.
  4. Type LsaLookupCacheMaxSize, and then press ENTER.
  5. Right-click LsaLookupCacheMaxSize, and then click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Exit Registry Editor.
Note The LsaLookupCacheMaxSize registry entry sets the maximum number of cached mappings that can be saved in the local SID cache. The default maximum number is 128. When the LsaLookupCacheMaxSize registry entry is set to 0, the local SID cache is disabled.
STATUS
The behavior is by design.
MORE INFORMATION
The LSA maintains a SID cache on domain member computers. This cache stores mappings between SIDs and user names. If the SID information exists in the local cache, the LSA returns the cached user name information instead of checking whether the user name has changed.

The local SID cache helps reduce domain controller workload and network traffic. However, inconsistency may occur between the local cache and the domain controllers.
REFERENCES
TechNet has an article that covers Sid-Name resolution approaches, including a detailed description of this cache:

http://technet.microsoft.com/en-us/library/ff428139(WS.10).aspx

For more information about the LsaLookupSidsfunction, visit the following Microsoft Web site:
LsaLookupCacheMaxSize LsarSid2Name
Properties

Article ID: 946358 - Last Review: 11/15/2011 15:39:00 - Revision: 4.0

Microsoft Windows XP Professional, Microsoft Windows Server 2003 Service Pack 2, Windows Vista Ultimate, Windows Vista Enterprise, Windows Vista Business, Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows 7 Professional, Windows 7 Enterprise, Windows 7 Ultimate

  • kbtshoot kbexpertiseinter kbprb KB946358
Feedback
.gif?DI=4050&did=1&t=">l>