Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

"Invalid pointer" error message when you try to back up a Group Policy object by using the Group Policy Management Console in a Windows Server 2003 domain or in a Windows 2000 domain


View products that this article applies to.

Symptoms

When you try to perform a backup of a Group Policy object or of multiple Group Policy objects by using the Microsoft Group Policy Management Console, you receive the following error message in the notification area of the Backup window:
GPO:
Group_Policy_Name...Failed

Invalid pointer

↑ Back to the top


Cause

This behavior occurs if a user or a group name that is referenced in a Group Policy object corresponds to an abbreviation that is defined for a built-in group that is used by the Security Descriptor Definition Language (SDDL) format. For example, this behavior occurs if you name a user or a group "SA." The "SA" abbreviation corresponds to the SDDL security identifier (SID) string that represents the built-in Schema Admins group.

If a user name or a group name matches an SDDL abbreviation that is defined for a built-in group, a function that is called by the Group Policy Management Console treats the user name or the group name as a SID. Therefore, the backup fails and you receive the error message that is mentioned in the "Symptoms" section.

↑ Back to the top


Resolution

To resolve the behavior, use the Active Directory Users and Computers snap-in to change the name of the user or the group that corresponds to one of the abbreviations that is used by SDDL.

↑ Back to the top


More Information

The following table provides the SID string constants for well-known SIDs that are defined in SDDL.
SID stringConstant in Sddl.hAccount alias and corresponding relative ID (RID)
"AO"SDDL_ACCOUNT_OPERATORSAccount operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS.
"RU"SDDL_ALIAS_PREW2KCOMPACCAlias to grant permissions to accounts that use applications compatible with Microsoft Windows NT 4.0 operating systems. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS.
"AN"SDDL_ANONYMOUSAnonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID.
"AU"SDDL_AUTHENTICATED_USERSAuthenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID.
"BA"SDDL_BUILTIN_ADMINISTRATORSBuilt-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS.
"BG"SDDL_BUILTIN_GUESTSBuilt-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS.
"BO"SDDL_BACKUP_OPERATORSBackup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS.
"BU"SDDL_BUILTIN_USERSBuilt-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS.
"CA"SDDL_CERT_SERV_ADMINISTRATORSCertificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS.
"CG"SDDL_CREATOR_GROUPCreator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID.
"CO"SDDL_CREATOR_OWNERCreator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID.
"DA"SDDL_DOMAIN_ADMINISTRATORSDomain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS.
"DC"SDDL_DOMAIN_COMPUTERSDomain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS.
"DD"SDDL_DOMAIN_DOMAIN_CONTROLLERSDomain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS.
"DG"SDDL_DOMAIN_GUESTSDomain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS.
"DU"SDDL_DOMAIN_USERSDomain users. The corresponding RID is DOMAIN_GROUP_RID_USERS.
"EA"SDDL_ENTERPRISE_ADMINSEnterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS.
"ED"SDDL_ENTERPRISE_DOMAIN_CONTROLLERSEnterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID.
"WD"SDDL_EVERYONEEveryone. The corresponding RID is SECURITY_WORLD_RID.
"PA"SDDL_GROUP_POLICY_ADMINSGroup Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS.
"IU"SDDL_INTERACTIVEInteractively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID.
"LA"SDDL_LOCAL_ADMINLocal administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN.
"LG"SDDL_LOCAL_GUESTLocal guest. The corresponding RID is DOMAIN_USER_RID_GUEST.
"LS"SDDL_LOCAL_SERVICELocal service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID.
"SY"SDDL_LOCAL_SYSTEMLocal system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
"NU"SDDL_NETWORKNetwork logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID.
"NO"SDDL_NETWORK_CONFIGURATION_OPSNetwork configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS.
"NS"SDDL_NETWORK_SERVICENetwork service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID.
"PO"SDDL_PRINTER_OPERATORSPrinter operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS.
"PS"SDDL_PERSONAL_SELFPrincipal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID.
"PU"SDDL_POWER_USERSPower users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS.
"RS"SDDL_RAS_SERVERSRemote access servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS.
"RD"SDDL_REMOTE_DESKTOPTerminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS.
"RE"SDDL_REPLICATORReplicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR.
"RC"SDDL_RESTRICTED_CODERestricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID.
"SA"SDDL_SCHEMA_ADMINISTRATORSSchema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS.
"SO"SDDL_SERVER_OPERATORSServer operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS.
"SU"SDDL_SERVICEService logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID.

↑ Back to the top


References

For more information about SID string constants, visit the following Microsoft Web site:For more information about the Group Policy Management Console, including information about how to download the snap-in, visit the following Microsoft Web site: For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
818736 White paper: Migrating GPOs across domains by using the Group Policy Management Console

818735 White paper: Administering Group Policy by using the Group Policy Management Console

↑ Back to the top


Keywords: kb, kbprb, kbentirenet, kbmgmtservices, kbwinservperf, kberrmsg, kbtshoot

↑ Back to the top

Article Info
Article ID : 867462
Revision : 7
Created on : 8/20/2020
Published on : 8/20/2020
Exists online : False
Views : 752