Wrong SID for Administrator account

active-directory windows-server-2000 sid

In researching my problem for this question, I discovered that the SID for the account in the domain named "Administrator" account is:
S-1-5-21-2025429265-492894223-1708537768-1124

That's got to be wrong, because real Administrator SID's end in 500. Using the same domain key and looking for SID S-1-5-21-2025429265-492894223-1708537768-500 turns up nothing — the built-in Administrator account just isn't there.

I don't know when or how this happened and I'm still looking, but I'm pretty sure it's been like this long enough that I don't even have a backup I could restore that would address this.

Does anyone have any ideas for how to put it right?

Since the account I'm talking about apparently isn't clear, I mean the account referred to in the 2nd bullet point under the "Causes" heading in this knowledge base article:
http://support.microsoft.com/kb/248079

The Administrator account Well-Known Security Identifier, or SID (the account name can be renamed)


Hmm... that's decidedly a "not supposed to happen" scenario. The RID 500 Administrator account is stamped with the "isCriticalSystemObject" attribute set to true, and to my knowledge LSASS is supposed to return an ERROR_DS_UNWILLING_TO_PERFORM error (0x80072035) if you were to try and delete it. (I don't have a scratch AD sitting around in any of my VMs right now to give it a shot. Maybe later...)

How are you searching AD, anyway?

From AD Users and Computers, do a "Find" at the root of the domain, choose a "Custom Search" in the "Find" dropdown, go to the "Advanced" tab, and enter the LDAP search filter "(objectSid=S-1-5-21-2025429265-492894223-1708537768-500)". That'll give you a subtree search of the domain from the root of the directory.

If you really have deleted your RID 500 Administrator account somehow I'd stronly consider contacting Microsoft Product Support Services. They can probably have something coded to re-create the account (if they don't already have such a tool). I can't imagine how you managed to delete it anyway, because the only way I could think to do that would be direct interaction with the database through ESE. I really didn't think there was any publicly-exposed API that would let you delete an object marked with "isCriticalSystemObject" set to True, and I don't think you can set it to False on the RID 500 Administrator, either. Hmmm...

You've got an interesting situation there. Let us know what the subtree search above returns.


That looks like a user SID; the only SID which ends in -500 is for the built-in account specifically named Administrator. (By default -- it can be renamed via group policy.)

You're a bit unclear with the phrase 'my Administrator account' -- if you mean your personal domain admin account, what you're seeing is correct. If you mean the account named Administrator, then I'd start checking group policy to find out what's happened to the built-in Administrator account -- perhaps someone has renamed it, then created another account named Administrator?

Related

Windows NT cannot browse Windows Server 2008
Is there a test to see if hardware virtualization (vmx / svm) are presently enabled within a Linux session?
Any open source backup software with NDMP support? [closed]
Wildcard CNAME with GoDaddy DNS Manager
systemd Vagrant and VirtualBox: wait for synced folder to mount
Can I specify where my database files are stored *per database* in MySQL?
What is the name of this screw? (from HP ProLiant quick-deploy rail kits) [closed]
How to configure bind9 to accept connections from other machines
VMWare vSphere and the move from ESX to ESXi
Active Directory: Does renaming a security group also change the name of all instances where the group was used?
Tools for maintaining yum repositories
Can nginx use different SSL protocols in different server blocks?