How do I fix SIDs appearing in Local Security Policy instead of the name of the Domain User or Group on a member server of a domain?

I have two member servers in which the SIDs are appearing instead of the name of the domain user or domain group in the local security policy. It is only occuring on two servers, all other member servers in the domain show the domain user or group properly. All local users or groups appear correctly in the local security policy on these two member servers. I have restarted the servers, run gpupdate, run netdiag, and checked their ability to reach the global catalogs but there are no errors.

How can I force these two systems to resolve the SIDs to the domain user or group names in the local security policy?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It is possible they are SIDS from accounts that are no longer in existence.  Typically when I see a SID,  I just delete the SID out.
JohnMathisonAuthor Commented:
The SIDs are valid accounts not old accounts; they are just not resolving to their domain names. NO domain user or groups are showing up as anything but SIDs on these two servers, they appear correctly on all other servers. I need to force them to resolve.
Ron MalmsteadInformation Services ManagerCommented:
As the first poster mentioned...  the SID's may belong to users' that no longer exist.  Another reason would be slow AD performance.

To figure out if these SID's are valid...  run this command line.
dsquery user -name * | dsget user -sid -samid > c:\userlist.txt

Now open the C:\userlist.txt in notepad, and search for the SID.

Ron MalmsteadInformation Services ManagerCommented:
have you done a domain migration recently ?

what are the OS's of these member servers ?

did you verify proper dns settings ?
JohnMathisonAuthor Commented:
Thanks xuserx2000,
I used the command line you gave, but it showed that they were valid accounts, which gave confirmation to what I already knew. I was hoping there was a simple tool to that would force SID - name resolution, but I guess not.

We had no domain migration, all servers are Windows Server 2003 with all updates, and DNS is all correct. We did have a major UPS failure a couple of weeks ago (both large UPS 5000va battery packs on the same day and one UPS power module no going into bypass, what bad luck)  and the DCs went down, but once I got everything back up, there was no apparent problems except this SID issue.

I shut down the services the two servers were providing to the network, disjoined and rejoined the servers to the Domain and that seemed to have worked - SIDs no longer show up, just the domain user and group names. I was trying to avoid having to interupt services.

Issue resolved through disjoining and rejoining member servers in domain. Thnak you for the input.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.