Unknown Account + Server 2003

**warriorfan808** · April 5th, 2006, 08:58 PM

While setting up audits, I noticed an unknown user listed in a folders ACL named, "unknown user" followed by a long string of digits. Does anyone know what this is? I was first thinking it could be an old account that I deleted, but wasn't sure. Wouldn't all associations with an old account disappear after the account is deleted out of my OU? Is this still the SID that is now unassociated with a user name?

***phishphreek*** · April 5th, 2006, 09:13 PM

I've had this happen to me before. The SID didn't resolve to a user name.

There are utilities like sid2user that will tell you which user account a sid belongs to.

http://www.ntbugtraq.com/default.aspx?pid=55&did=6

***morganlefay*** · April 5th, 2006, 09:14 PM

User account that was deleted...

We had layoffs temp and permenant recently and I noticed this with the deleted accounts.

the string of numbers is the SID of the account

MLF

**warriorfan808** · April 5th, 2006, 09:24 PM

Ok, it was what I expected. After looking through my notes, I keep notes on all changes I make, I noticed I deleted a user a few weeks back that had access to that folder explicitly. I remember to remove her from Global Security Group before deleting her account, but just figured her SID would be removed from ACLs at the folder level. Come to think of it, I probably didnt' even have to delete her from the group, because AD should have done that automatically. After seeing this happen, maybe it's a good thing.

Thanks for the help

***cacosapo*** · April 5th, 2006, 09:27 PM

Never add directly an user to a ACL

Allways use groups. You will avoid this kind of thing.

Its a "best pratice".

**warriorfan808** · April 6th, 2006, 07:41 AM

I created network drives for users that only gave them; the system and me access. In this scenario, would you use groups? I get what you mean though, I'm trying to use groups whenever possible.

***cacosapo*** · April 6th, 2006, 01:33 PM

Originally posted here by warriorfan808
I created network drives for users that only gave them; the system and me access. In this scenario, would you use groups? I get what you mean though, I'm trying to use groups whenever possible.

if "you" means "administrator" account, no...otherwise, yes.

***phishphreek*** · April 6th, 2006, 01:43 PM

Originally posted here by cacosapo
if "you" means "administrator" account, no...otherwise, yes.

So you add each user to their own group for their "home" drive?

I use groups for shared resources (common shares, printers, etc.) but for their "home" drive, I've always used "user" "system" and the group "domain admins"

IMO- Creating a dedicated group for each user is not necessary. It may prevent problems like the one above, but after the user is gone... the permissions on the users "home" folder will change and the folder will either be deleted or archived or it's contents moved to another employee.

The purpose of groups is to combine users into logical group so you can manage like users together and not have to make changes to each individual user account. If there is only going to one user assigned to each of those groups... it defeats the purpose of a "group".

***Tiger Shark*** · April 6th, 2006, 02:20 PM

We use groups for Job Title... So the Admin Assistant who has rights across numerous drives, folders etc. has a group called Adimin Assistant and the rights are set for that group to the assets they need and added to groups they need to be added to. Then we create the user and add the user to the group. When the user leaves they are removed from the group thus all their rights are removed. When they are replaced the new user is created and added to the Admin Assistant group. They automatically get rights to all the assets the previous Admin Assistant had.

Beats the hell out of having to log where you granted who rights to and manage the change of personnel.

***cacosapo*** · April 6th, 2006, 02:22 PM

So you add each user to their own group for their "home" drive?]

No, because there is no home drives here. Nobody is allowed to have a personal / home space on file servers; only departamental folders are allowed.

But even i create a folder on network that only one user will access (e.g. a folder that Data Base admin will store his documentation) i create a group and put this user in a group.

A lot of O.S. simply dont clear direct connections (users to ACL). O windows, its hard to get access because the sid structure. In others, account name is stored directly on ACL. If you reuse / recreate the account, the user will get access on resources.
When you use groups to acl instead accounts to acl, you just avoid a unecessary risk at your installation. When you clear the user, most O.S. just remove the account from all groups. Its silly create a group for just one user? Maybe.

A lot of "best pratices" sounds silly when you get a specific need. But IMHO, if you follow best pratices even if you think its just an overhead, you will be happy at the end of day. The only exception is when the best pratice will reduce the security on specific case. In that case, i skip the best pratice recommendation.

Thread: Unknown Account + Server 2003

Thread Tools

Display

Unknown Account + Server 2003

Posting Permissions