How do I fix SIDs appearing in Local Security Policy instead of the name of the Domain User or Group on a member server of a domain?

I have two member servers in which the SIDs are appearing instead of the name of the domain user or domain group in the local security policy. It is only occuring on two servers, all other member servers in the domain show the domain user or group properly. All local users or groups appear correctly in the local security policy on these two member servers. I have restarted the servers, run gpupdate, run netdiag, and checked their ability to reach the global catalogs but there are no errors.

How can I force these two systems to resolve the SIDs to the domain user or group names in the local security policy?
JohnMathisonAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
JohnMathisonConnect With a Mentor Author Commented:
Thanks xuserx2000,
I used the command line you gave, but it showed that they were valid accounts, which gave confirmation to what I already knew. I was hoping there was a simple tool to that would force SID - name resolution, but I guess not.

We had no domain migration, all servers are Windows Server 2003 with all updates, and DNS is all correct. We did have a major UPS failure a couple of weeks ago (both large UPS 5000va battery packs on the same day and one UPS power module no going into bypass, what bad luck)  and the DCs went down, but once I got everything back up, there was no apparent problems except this SID issue.

I shut down the services the two servers were providing to the network, disjoined and rejoined the servers to the Domain and that seemed to have worked - SIDs no longer show up, just the domain user and group names. I was trying to avoid having to interupt services.

Issue resolved through disjoining and rejoining member servers in domain. Thnak you for the input.
0
 
PlaceboC6Commented:
It is possible they are SIDS from accounts that are no longer in existence.  Typically when I see a SID,  I just delete the SID out.
0
 
JohnMathisonAuthor Commented:
The SIDs are valid accounts not old accounts; they are just not resolving to their domain names. NO domain user or groups are showing up as anything but SIDs on these two servers, they appear correctly on all other servers. I need to force them to resolve.
0
 
Ron MalmsteadConnect With a Mentor Information Services ManagerCommented:
As the first poster mentioned...  the SID's may belong to users' that no longer exist.  Another reason would be slow AD performance.

To figure out if these SID's are valid...  run this command line.
dsquery user -name * | dsget user -sid -samid > c:\userlist.txt

Now open the C:\userlist.txt in notepad, and search for the SID.


0
 
Ron MalmsteadInformation Services ManagerCommented:
have you done a domain migration recently ?

what are the OS's of these member servers ?

did you verify proper dns settings ?
0
All Courses

From novice to tech pro — start learning today.