Event ID 16406 — Well-Known Account Upgrade

Applies To: Windows Server 2008

When a computer is promoted to become a domain controller, the promotion process recreates the required well-known groups and local groups that are not present when you install Active Directory Domain Services (AD DS) to make a computer a domain controller.

Event Details

Product: Windows Operating System
ID: 16406
Source: SAM
Version: 6.0
Message: The Security Account Database detected that the well known account %1 does not exist. The account has been recreated. Please reset the password for the account.


Reset the password for a well-known account that was created recently

The Security Accounts Manager (SAM) created a required built-in account that did not exist. Reset the password on this account. The account name is in the Event Viewer event text. Perform the following procedure using a domain member computer with the domain administrative tools installed.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To locate an account and reset the account password:

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the console tree, right-click the object that represents your domain, and then click Find. The Find Users, Contacts, and Groups dialog box opens.
  3. In Name, type the name of the account that is specified in the event text, and then click Find Now.
  4. In Search results, right-click the account that requires a password reset, and then click Reset Password. The Reset Password dialog box appears.
  5. In New Password, type the password, and, in Confirm Password, type the same password again, and then click OK.
  6. To confirm the password change, click OK.


To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform the following steps using a domain controller in the domain.

To verify that the well-known accounts exist:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type dsquery * -filter "(objectSID=*)" -limit 44 -attr objectsid distinguishedname > wellknownaccounts.txt, and press ENTER. The first 44 accounts in the directory are copied to a text file.
  3. Type notepad wellknownaccounts.txt and press ENTER. The file opens in Notepad.
  4. Check the entries in the list against the following table.

In the following table dSID represents the unique groups of digits that are the domain's security identifier (SID) and dpath represents the actual Lightweight Directory Access Protocol (LDAP) path of the domain. For example, if the domain is named adatum.com, the LDAP path is DC=adatum,DC=com.

Well-known security identifiers and accounts

objectsid distinguishedname 
S-1-5-4 CN=S-1-5-4,CN=ForeignSecurityPrincipals,dpath
S-1-5-9 CN=S-1-5-9,CN=ForeignSecurityPrincipals,dpath
S-1-5-11 CN=S-1-5-11,CN=ForeignSecurityPrincipals,dpath
S-1-5-17 CN=S-1-5-17,CN=ForeignSecurityPrincipals,dpath
S-1-5-32 CN=Builtin,dpath
S-1-5-32-544 CN=Administrators,CN=Builtin,dpath
S-1-5-32-545 CN=Users,CN=Builtin,dpath
S-1-5-32-546 CN=Guests,CN=Builtin,dpath
S-1-5-32-548 CN=Account Operators,CN=Builtin,dpath
S-1-5-32-549 CN=Server Operators,CN=Builtin,dpath
S-1-5-32-550 CN=Print Operators,CN=Builtin,dpath
S-1-5-32-551 CN=Backup Operators,CN=Builtin,dpath
S-1-5-32-552 CN=Replicator,CN=Builtin,dpath
S-1-5-32-554 CN=Pre-Windows 2000 Compatible Access,CN=Builtin,dpath
S-1-5-32-555 CN=Remote Desktop Users,CN=Builtin,dpath
S-1-5-32-556 CN=Network Configuration Operators,CN=Builtin,dpath
S-1-5-32-557 CN=Incoming Forest Trust Builders,CN=Builtin,dpath
S-1-5-32-558 CN=Performance Monitor Users,CN=Builtin,dpath
S-1-5-32-559 CN=Performance Log Users,CN=Builtin,dpath
S-1-5-32-560 CN=Windows Authorization Access Group,CN=Builtin,dpath
S-1-5-32-561 CN=Terminal Server License Servers,CN=Builtin,dpath
S-1-5-32-562 CN=Distributed COM Users,CN=Builtin,dpath
S-1-5-32-568 CN=IIS_IUSRS,CN=Builtin,dpath
S-1-5-32-569 CN=Cryptographic Operators,CN=Builtin,dpath
S-1-5-32-573 CN=Event Log Readers,CN=Builtin,dpath
S-1-5-32-574 CN=Certificate Service DCOM Access,CN=Builtin,dpath
S-1-5-21-dSID dpath
S-1-5-21-dSID-498 CN=Enterprise Read-only Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-500 CN=Administrator,CN=Users,dpath
S-1-5-21-dSID-501 CN=Guest,CN=Users,dpath
S-1-5-21-dSID-502 CN=krbtgt,CN=Users,dpath
S-1-5-21-dSID-512 CN=Domain Admins,CN=Users,dpath
S-1-5-21-dSID-513 CN=Domain Users,CN=Users,dpath
S-1-5-21-dSID-514 CN=Domain Guests,CN=Users,dpath
S-1-5-21-dSID-515 CN=Domain Computers,CN=Users,dpath
S-1-5-21-dSID-516 CN=Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-517 CN=Cert Publishers,CN=Users,dpath
S-1-5-21-dSID-518 CN=Schema Admins,CN=Users,dpath
S-1-5-21-dSID-519 CN=Enterprise Admins,CN=Users,dpath
S-1-5-21-dSID-520 CN=Group Policy Creator Owners,CN=Users,dpath
S-1-5-21-dSID-521 CN=Read-only Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-553 CN=RAS and IAS Servers,CN=Users,dpath
S-1-5-21-dSID-571 CN=Allowed RODC Password Replication Group,CN=Users,dpath
S-1-5-21-dSID-572 CN=Denied RODC Password Replication Group,CN=Users,dpath

Well-Known Account Upgrade

Active Directory