This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 10%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
I've seen this issue posted a handful of times but my issue seems to be unique compared to them.
On every virtual machine (Windows Server and Windows 10) in our domain, when viewing already present or adding users in the local administrators group, only account SIDs are listed. I've checked other local groups on them, like Remote Desktop Users, and they are listing the user names as expected; this only appears to affect the local administrators group.
A strange behavior I've discovered trying to troubleshoot this issue... If I add a domain user to another group on the computer, like Remote Desktop Users, and go back to the Administrators group, the user name is then listed. If I go back to the other group and remove that user, the user name is still listed in the Administrators group. Its like the Administrators group is unaware of user names until another group looks it up.
There are no domain related errors in Event Viewer, I'm able to lookup domain user names from SIDs from all affected machines, I've double and triple checked group policies aren't blocking translations, everything looks good.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 32%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I just saw this for the first time and posted about it in another forum. Interestingly we had an attack on the computer that this was noticed on. It's been completely reimaged, low level format, etc, memory tested and is working as it always had now. The name's with SID's went away after the remediation, so does this mean it was left over due to the attack?
We had an attack that appears to be Emotet from an email that was clicked on with a password trojan. The user's account was compromised by what appears to be a brute-force attack, the trojan malware, or a combination of both.
After remediation, we tested the computer in our sandbox and noticed the names with SIDs after them. Wondering if it's related, never seen this happen before.
I'd check the domain controller and problem member both have the static ip address of DC listed for DNS and no others such as router or public DNS
--please don't forget to Accept as answer if the reply is helpful--
Every member is a problem member, including freshly built servers, I haven't found a single VM this behavior is not present on. I have checked DNS is configured properly; I can say with high confidence there are no DNS problems on our network currently.
Please run;
Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
(etc. as other DC's exist)
ipconfig /all > C:\problemmember.txt
then put unzipped text files up on OneDrive and share a link.
dcdiag has a lot of detail about the domain as a whole, I don't feel comfortable posting it in whole on a public forum. What section are you looking to see?
I'll be working to get the other results gathered, cleaned, and posted later today.
Not a problem, you can start a case here with product support.
https://support.microsoft.com/en-us/hub/4343728/support-for-business
--please don't forget to Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
According to our description, it sounds like DNS name resolution issue. Since only SIDs listed, the server is not able to resolve the user names from the domain. As Dave replied, we could run the commands to have a check of DNS configuration, DC and AD replication.
Besides, as for our issue, we would like to know:
1, Are all users from the same domain?
2, All the member servers are affected?
3, Is there duplication of VM? As per my research, someone had the similar problem due to duplication of VM. They did not sysprepped the additional VM. Once they sysprepped them, it solved the issue. We could kindly have a check about this.
4, Have we tried rejoin the computer to domain to see whether it could solve the issue?
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
I understand the opinion that this sounds like a DNS issue. However, that doesn't make sense when some groups resolve names while others do not. As I stated, the Administrators group does not resolve SIDs to user names but other groups, such as Remote Desktop Users, do. In fact, if I first add a user to another group, such as Remote Desktop Users, then add the same user to the Administrators group, the user name then resolves.
1, Are all users from the same domain? Yes, all users are from the same domain. We don't use any cross-forest trust.
2, All the member servers are affected? Yes, all member servers are affected.
3, Is there duplication of VM? No
4, Have we tried rejoin the computer to domain to see whether it could solve the issue? Yes, I have tried rejoining a handful of machines. Even fresh VMs with literally ZERO third part software installed have the issue.
Hello,
Thank you so much for your feedback.
It is really strange and frankly speaking, I have no idea why it happens. And this issue could not be reproduced in my environment now. It is suggested that we could have a check of DNS configuration, DC function and AD replication. Yeah, it is suggested not to share the information on public forum. Therefore, we can check for ourselves.
If we still have any concerns, as mentioned, we could start a case with product support for further assistance.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 4%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETR%3C/text%3E%3C/svg%3E)
Thanks HannahXiong-MSFT. My DNS entry was not re-entered when I replaced network cards. Added the DNS entry that resolves to my domain, and it works.
Glad to hear of success, you're welcome.
--please don't forget to upvote and Accept as answer if the reply is helpful--