question

DerekChisholm-6502 avatar image
DerekChisholm-6502 asked ·

Local Administrator account shows SID for domain members

I've seen this issue posted a handful of times but my issue seems to be unique compared to them.

On every virtual machine (Windows Server and Windows 10) in our domain, when viewing already present or adding users in the local administrators group, only account SIDs are listed. I've checked other local groups on them, like Remote Desktop Users, and they are listing the user names as expected; this only appears to affect the local administrators group.

A strange behavior I've discovered trying to troubleshoot this issue... If I add a domain user to another group on the computer, like Remote Desktop Users, and go back to the Administrators group, the user name is then listed. If I go back to the other group and remove that user, the user name is still listed in the Administrators group. Its like the Administrators group is unaware of user names until another group looks it up.

There are no domain related errors in Event Viewer, I'm able to lookup domain user names from SIDs from all affected machines, I've double and triple checked group policies aren't blocking translations, everything looks good.

windows-serverwindows-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
DSPatrick answered ·

I'd check the domain controller and problem member both have the static ip address of DC listed for DNS and no others such as router or public DNS


--please don't forget to Accept as answer if the reply is helpful--


4 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Every member is a problem member, including freshly built servers, I haven't found a single VM this behavior is not present on. I have checked DNS is configured properly; I can say with high confidence there are no DNS problems on our network currently.

0 Votes 0 · ·
DSPatrick avatar image DSPatrick DerekChisholm-6502 ·

Please run;

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
(etc. as other DC's exist)
ipconfig /all > C:\problemmember.txt

then put unzipped text files up on OneDrive and share a link.



0 Votes 0 · ·

dcdiag has a lot of detail about the domain as a whole, I don't feel comfortable posting it in whole on a public forum. What section are you looking to see?

I'll be working to get the other results gathered, cleaned, and posted later today.

0 Votes 0 · ·
Show more comments
HannahXiong-MSFT avatar image
HannahXiong-MSFT answered ·

Hello,

Thank you so much for posting here.

According to our description, it sounds like DNS name resolution issue. Since only SIDs listed, the server is not able to resolve the user names from the domain. As Dave replied, we could run the commands to have a check of DNS configuration, DC and AD replication.

Besides, as for our issue, we would like to know:

1, Are all users from the same domain?

2, All the member servers are affected?

3, Is there duplication of VM? As per my research, someone had the similar problem due to duplication of VM. They did not sysprepped the additional VM. Once they sysprepped them, it solved the issue. We could kindly have a check about this.

Similar case: https://social.technet.microsoft.com/Forums/ie/en-US/048cd9b2-5360-4873-bea6-c487aa61feb4/server-cant-determine-user-name-just-show-sid-and-then-disappear?forum=winserverDS

4, Have we tried rejoin the computer to domain to see whether it could solve the issue?

For any question, please feel free to contact us.

Best regards,
Hannah Xiong


2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I understand the opinion that this sounds like a DNS issue. However, that doesn't make sense when some groups resolve names while others do not. As I stated, the Administrators group does not resolve SIDs to user names but other groups, such as Remote Desktop Users, do. In fact, if I first add a user to another group, such as Remote Desktop Users, then add the same user to the Administrators group, the user name then resolves.

1, Are all users from the same domain? Yes, all users are from the same domain. We don't use any cross-forest trust.
2, All the member servers are affected? Yes, all member servers are affected.
3, Is there duplication of VM? No
4, Have we tried rejoin the computer to domain to see whether it could solve the issue? Yes, I have tried rejoining a handful of machines. Even fresh VMs with literally ZERO third part software installed have the issue.

0 Votes 0 · ·

Hello,

Thank you so much for your feedback.

It is really strange and frankly speaking, I have no idea why it happens. And this issue could not be reproduced in my environment now. It is suggested that we could have a check of DNS configuration, DC function and AD replication. Yeah, it is suggested not to share the information on public forum. Therefore, we can check for ourselves.

If we still have any concerns, as mentioned, we could start a case with product support for further assistance.

Thank you so much for your understanding and support.


Best regards,
Hannah Xiong

0 Votes 0 · ·