Sign in with
Sign up | Sign in
Your question

Need help with ADUC "Account Unknown"

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 7, 2005 1:48:32 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Greetings-

If I examine the "Users" container in ADUC, I see the folowing two
entries in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1261)
Account Unknown (S-1-5-21-861567501-1500820517-725345543-1265)

If I examine each distribution list (I'm running Exchange 2003 on
another member server Win2K3 box in my domain) in the "Users" container
in ADUC, I see the same two entries noted above in the Security tab.

If I examine each user and each security group in the "Users" container
in ADUC, I see the following entry in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1263)

Here's my questions for the AD gurus:

1) Knowing that these entries most likely represent a user account that
was deleted from AD and that most likely was an administrator of some
kind whose term of service here predates mine, is it safe to delete
these entries?

2) If the answer to 1) is "Yes, it's OK to delete them", is there a way
to delete them en masse as opposed to mamually deleting each entry from
each object?

3) Is there anyway to determine more info about the unknown account,
like when it was deleted etc?

4) What is the significance of the last 4 digits in the entries?
TIA
Gordon Pegue
CG Engineers
Albuquerque, NM

More about : aduc account unknown

Anonymous
a b 8 Security
January 7, 2005 6:34:25 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"gpegue" wrote:
> Greetings-
>
> If I examine the "Users" container in ADUC, I see the folowing
> two
> entries in the Security tab:
>
> Account Unknown (S-1-5-21-861567501-1500820517-725345543-1261)
> Account Unknown (S-1-5-21-861567501-1500820517-725345543-1265)
>
> If I examine each distribution list (I'm running Exchange 2003
> on
> another member server Win2K3 box in my domain) in the "Users"
> container
> in ADUC, I see the same two entries noted above in the
> Security tab.
>
> If I examine each user and each security group in the "Users"
> container
> in ADUC, I see the following entry in the Security tab:
>
> Account Unknown (S-1-5-21-861567501-1500820517-725345543-1263)
>
> Here's my questions for the AD gurus:
>
> 1) Knowing that these entries most likely represent a user
> account that
> was deleted from AD and that most likely was an administrator
> of some
> kind whose term of service here predates mine, is it safe to
> delete
> these entries?
>
> 2) If the answer to 1) is "Yes, it's OK to delete them", is
> there a way
> to delete them en masse as opposed to mamually deleting each
> entry from
> each object?
>
> 3) Is there anyway to determine more info about the unknown
> account,
> like when it was deleted etc?
>
> 4) What is the significance of the last 4 digits in the
> entries?
> TIA
> Gordon Pegue
> CG Engineers
> Albuquerque, NM

Hi,

Yes it is safe to delete them. I have this a lot when an account is
deleted without deleting the users files etc. If you enable Quotas on
the Drive in question then you can go into Quota Manager and delete
all files/folders owned by that SID.

Cheers,

Lara

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-help-ADUC...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=755830
Anonymous
a b 8 Security
January 7, 2005 11:07:55 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> 2) If the answer to 1) is "Yes, it's OK to delete them", is there a way to
> delete them en masse as opposed to mamually deleting each entry from each
> object?

Yes. Go to the highest OU or container that these permissions are set on
and delete them there. They're more than likely inheriting these
permissions from higher above.


> 3) Is there anyway to determine more info about the unknown account, like
> when it was deleted etc?

Not really, unless this is a recent thing. If you've been auditing
directory services events and the like, you may find some info. in the
security logs of the DCs. Otherwise, I'm unaware of a way of doing this.


> 4) What is the significance of the last 4 digits in the entries?

These are the RIDs - the unique portion of the SID. The majority of that
SID represents the domain, and a couple of standard bits at the
beginning -version, type, etc. All in all, every single bit of that SID
other than the RIS is unique to your domain. The RID is allocated to each
new user by the creating DC and is taken from a RID pool -allocated in
blocks of 499 to each DC from the RID master.

There are well known RIDs -those that are always used, e.g. -500 is
administrator; -501 is guest.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

<gpegue@cg-engrs.com> wrote in message
news:1105123712.459987.280020@z14g2000cwz.googlegroups.com...
Greetings-

If I examine the "Users" container in ADUC, I see the folowing two
entries in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1261)
Account Unknown (S-1-5-21-861567501-1500820517-725345543-1265)

If I examine each distribution list (I'm running Exchange 2003 on
another member server Win2K3 box in my domain) in the "Users" container
in ADUC, I see the same two entries noted above in the Security tab.

If I examine each user and each security group in the "Users" container
in ADUC, I see the following entry in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1263)

Here's my questions for the AD gurus:

1) Knowing that these entries most likely represent a user account that
was deleted from AD and that most likely was an administrator of some
kind whose term of service here predates mine, is it safe to delete
these entries?

2) If the answer to 1) is "Yes, it's OK to delete them", is there a way
to delete them en masse as opposed to mamually deleting each entry from
each object?

3) Is there anyway to determine more info about the unknown account,
like when it was deleted etc?

4) What is the significance of the last 4 digits in the entries?
TIA
Gordon Pegue
CG Engineers
Albuquerque, NM
!