Windows SID

Question

question

Fahrid95 asked Mar 25, '22 Fahrid95 commented Mar 31, '22

Windows SID

Hi All,

In our environment have one AD which act as a domain controller and two client servers. We use domain administrator for all the 3 servers.

In one of our client server we have Citrix components and while launching one of the component got the below error.

The current user does not appear to be member of an active Directory. Studio cannot be run by a local user.

In logs we observed below, which looks like issue is related to the domain administrator account.

DomainMembershipScript(48): Failed to obtain user domain. Assuming non domain user
DomainMembershipScript(48): AD Error: System.Security.Authentication.AuthenticationException: The user name or password is incorrect.
---> System.Runtime.InteropServices.COMException: The user name or password is incorrect.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

Ran the below commands to get the domain name from defected client server and it got failed but working fine in AD server

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
[System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name

So I wanted to know is there any group policies can change the SID for the domain administrator, as we have applied some of the CIS CAT Benchmark v1.2.0 recommended policies

Below are workaround tried and it did not worked, some of the workaround is not recommended.

Tried creating new domain administrator user (Not recommended by our internal team, as we need to do changes in the architecture)
Removed client server from domain and rejoined it. (Not recommended by Citrix)
Verified connectivity by running ping, nslookup, whoami command.
Creating new OU. (Not recommended)

Any quick help will be appreciated

Thanks.

windows-server-2016 windows-group-policy windows-server-security

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-03-25T08:03:38.35Z

Thameur-BOURBITA answered Mar 25, '22 Fahrid95 commented Mar 31, '22

Hi,

it's not recommended to use the builtin domain administrator account to manage domain members servers. it's recommended to respect the 3 tier model use another domain account and add it as member of local administrators group on domain member servers:

You can use GPO , to add automatically a admin user account in the local administrators group:

Please don't forget to mark helpful reply as answer

image.png (65.5 KiB)

image.png (119.4 KiB)

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Fahrid95 · Mar 25 at 09:34 AM

Hi @Thameur-BOURBITA

Please share any Microsoft official article related to this and your 3 tier model image is not clear, update it again if possible.

Thanks

0 ·

Thameur-BOURBITA Fahrid95 · Mar 25 at 11:04 AM

You can refer to the following link to understand the concept of 3 tiers administration model:

use-microsofts-active-directory-tier-administrative-model

Please don't forget to mark helpful reply as answer

0 ·

Fahrid95 Thameur-BOURBITA · Mar 31 at 12:46 PM

Hi @Thameur-BOURBITA

Apart from creating new domain administrator user and do we have any other resolution?

I have modified few of the group policies as well in the below paths in AD. as well as in member server Local Group Policy editor

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

I am suspecting any of the policy is causing the changes in SID, but I am not sure which particular setting is causing an issue.

Thanks

0 ·

question

Windows SID

1 Answer

question details

question

Windows SID

1 Answer

question details

Related Questions