Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Local Service and other well-known security principals do not appear on your Windows Server 2003 domain controller

Local Service and other well-known security principals do not appear on your Windows Server 2003 domain controller

View products that this article applies to.

Symptoms

After you run the dcpromo.exe command on a Microsoft Windows Server 2003 computer to promote the server to a domain controller, the Local Service and other well-known security principals that are introduced with Windows Server 2003 do not appear. You cannot resolve the well-known security principals when you try to add the well-known accounts by using NTFS file system permissions on a file or a folder. Additionally, you cannot resolve the well-known security principals when you use the ADSI Edit tool, the Group Policy Object Editor snap-in (Gpedit.msc), or Registry Editor. Also, if you use the ADSI Edit tool or the LDP tool (Ldp.exe), the well-known accounts do not appear in the following container:
CN=WellKnown Security Principals,CN=Configuration,DC=YourDomain

↑ Back to the top

Cause

This behavior occurs when the forest root domain controller that holds the primary domain controller (PDC) emulator operations master role is running Microsoft Windows 2000 Server. If the forest root PDC emulator operations master is running Windows 2000, the CN=WellKnown Security Principals,CN=Configuration,DC=YourDomain container is not updated with the well-known security principals that are introduced in Windows Server 2003. Therefore, the Object Picker cannot find and resolve the corresponding names. The Object Picker queries the WellKnown Security Principals container to find the list of well-known security principals.

↑ Back to the top

Resolution

To resolve this behavior, upgrade the forest root PDC emulator operations master role holder to Windows Server 2003.

WORKAROUND

To work around this behavior, you can script the maintenance of the Windows Server 2003 well-known security principals by using the Subinacl.exe tool. For example, to grant Read permissions to a registry key for the Local Service account, type the following command:
subinacl /keyreg RegKey /grant="local service"=r
Note The Subinacl.exe tool is included in the Windows 2000 Resource Kit.

↑ Back to the top

More information

You may experience the behavior that is described in the "Symptoms" section with one or more of the following well-known security principals that are introduced in Windows Server 2003:
  • Digest Authentication
  • Local Service
  • Network Service
  • NTLM Authentication
  • Other Organization
  • Remote Interactive Logon
  • SChannel Authentication
  • This Organization

↑ Back to the top

References

For additional information about how to determine what domain controller holds the PDC emulator FSMO role, click the following article number to view the article in the Microsoft Knowledge Base:
234790� How to find servers that hold Flexible Single Master Operations roles
For additional information about FSMO roles, click the following article number to view the article in the Microsoft Knowledge Base:
197132� Windows 2000 Active Directory FSMO roles
For additional information about how to upgrade a Windows 2000 domain controller, click the following article number to view the article in the Microsoft Knowledge Base:
325379� How to upgrade Windows 2000 domain controllers to Windows Server 2003

↑ Back to the top

Keywords: KB827016, kbprb

↑ Back to the top

Article Info
Article ID : 827016
Revision : 4
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 266