Unknown Account + Server 2003
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Unknown Account + Server 2003

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    228

    Unknown Account + Server 2003

    While setting up audits, I noticed an unknown user listed in a folders ACL named, "unknown user" followed by a long string of digits. Does anyone know what this is? I was first thinking it could be an old account that I deleted, but wasn't sure. Wouldn't all associations with an old account disappear after the account is deleted out of my OU? Is this still the SID that is now unassociated with a user name?

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I've had this happen to me before. The SID didn't resolve to a user name.

    There are utilities like sid2user that will tell you which user account a sid belongs to.

    http://www.ntbugtraq.com/default.aspx?pid=55&did=6
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    User account that was deleted...

    We had layoffs temp and permenant recently and I noticed this with the deleted accounts.

    the string of numbers is the SID of the account

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    Senior Member
    Join Date
    Jan 2004
    Posts
    228
    Ok, it was what I expected. After looking through my notes, I keep notes on all changes I make, I noticed I deleted a user a few weeks back that had access to that folder explicitly. I remember to remove her from Global Security Group before deleting her account, but just figured her SID would be removed from ACLs at the folder level. Come to think of it, I probably didnt' even have to delete her from the group, because AD should have done that automatically. After seeing this happen, maybe it's a good thing.

    Thanks for the help

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Never add directly an user to a ACL Allways use groups. You will avoid this kind of thing.

    Its a "best pratice".
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    Senior Member
    Join Date
    Jan 2004
    Posts
    228
    I created network drives for users that only gave them; the system and me access. In this scenario, would you use groups? I get what you mean though, I'm trying to use groups whenever possible.

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Originally posted here by warriorfan808
    I created network drives for users that only gave them; the system and me access. In this scenario, would you use groups? I get what you mean though, I'm trying to use groups whenever possible.
    if "you" means "administrator" account, no...otherwise, yes.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by cacosapo
    if "you" means "administrator" account, no...otherwise, yes.
    So you add each user to their own group for their "home" drive?

    I use groups for shared resources (common shares, printers, etc.) but for their "home" drive, I've always used "user" "system" and the group "domain admins"

    IMO- Creating a dedicated group for each user is not necessary. It may prevent problems like the one above, but after the user is gone... the permissions on the users "home" folder will change and the folder will either be deleted or archived or it's contents moved to another employee.

    The purpose of groups is to combine users into logical group so you can manage like users together and not have to make changes to each individual user account. If there is only going to one user assigned to each of those groups... it defeats the purpose of a "group".
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    We use groups for Job Title... So the Admin Assistant who has rights across numerous drives, folders etc. has a group called Adimin Assistant and the rights are set for that group to the assets they need and added to groups they need to be added to. Then we create the user and add the user to the group. When the user leaves they are removed from the group thus all their rights are removed. When they are replaced the new user is created and added to the Admin Assistant group. They automatically get rights to all the assets the previous Admin Assistant had.

    Beats the hell out of having to log where you granted who rights to and manage the change of personnel.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    So you add each user to their own group for their "home" drive?]
    No, because there is no home drives here. Nobody is allowed to have a personal / home space on file servers; only departamental folders are allowed.

    But even i create a folder on network that only one user will access (e.g. a folder that Data Base admin will store his documentation) i create a group and put this user in a group.

    A lot of O.S. simply dont clear direct connections (users to ACL). O windows, its hard to get access because the sid structure. In others, account name is stored directly on ACL. If you reuse / recreate the account, the user will get access on resources.
    When you use groups to acl instead accounts to acl, you just avoid a unecessary risk at your installation. When you clear the user, most O.S. just remove the account from all groups. Its silly create a group for just one user? Maybe.

    A lot of "best pratices" sounds silly when you get a specific need. But IMHO, if you follow best pratices even if you think its just an overhead, you will be happy at the end of day. The only exception is when the best pratice will reduce the security on specific case. In that case, i skip the best pratice recommendation.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •