Event ID 12292 — Account Integrity
Applies To: Windows Server 2008 R2
The Security Accounts Manager (SAM) is a service that is used during the logon process. The SAM maintains user account information, including groups to which a user belongs. The SAM checks for duplicate accounts and duplicate security identifiers (SIDs).
|Product:||Windows Operating System|
|Message:||There are two or more objects that have the same account name attribute in the SAM database. The Distinguished Name of the account is %1. All duplicate accounts should be deleted, but ensure that the original account remains. For computer accounts, the newest account should be retained. In all the other cases, the older account should be retained.|
Delete or rename duplicate renamed accounts
There was a data collision because two Active Directory objects were given the same name. The system resolved the issue by automatically renaming one of the accounts. The account that was renamed is specified in the Event Viewer event message. Locate the original account and the account that was renamed in Active Directory Users and Computers. Determine whether both accounts should be retained. If both accounts should be retained, rename the account with the system-generated name appropriately, according to your established naming convention. Ensure that all the properties of both user accounts are accurate for your environment. Perform the following procedure using a domain member computer with the domain administrative tools installed.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To locate and rename an account in Active Directory Users and Computers:
- Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Right-click the object in the console that represents your domain, and then click Find.
- In the Find Users, Contacts, and Groups dialog box, select the type of account that you want to locate in Find. For example, if you want to locate a user, contact, or group account, the default selection is appropriate. However, if the account is a computer, printer, or organizational unit (OU), select the appropriate object type.
- In Name, type the name of the account that you want to rename. The object that represents the account that you want to rename appears in the Search results pane.
- Right-click the object that represents the account that you want to rename, and then click Rename. Enter the appropriate name and information in the Rename dialog box, and then click OK.
Make the necessary modifications to the user accounts to ensure that they have unique names that map your established account naming conventions.
To verify that security identifier (SID) and name lookup operations are functioning properly, you must have a utility that can translate account names to SIDs. PsTools from Microsoft includes the PsGetSid utility, which translates account names to SIDs and SIDs to account names. Perform the following procedures using a computer that is a domain member.
To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
Obtain and extract PsTools
To obtain and extract PsTools:
- Download PsTools (http://go.microsoft.com/fwlink/?LinkId=87333).
- Extract PsTools.zip from your download folder to a new folder named PsTools. For example, to extract PsTools.zip to a PsTools folder on the C: drive, right-click the PsTools.zip file, and then click Extract All. In the Extraction Wizard, click Next. In Files will be extracted to this directory, type C:\PsTools, and then click Extract.
- Close the extraction destination folder (C:\PsTools), which automatically opens in a new window when the extraction is complete.
Verify that lookup operations succeed
To verify that lookup operations succeed:
- Open a command prompt as an administrator on the local computer. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start Menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Change the directory path to the folder where you extracted PsTools. For example, if you extracted PsTools to the C:\PsTools folder, type cd /d c:\pstools, and then press ENTER.
- At the command prompt, type net config rdr, and then press ENTER. In the resulting command output, note the Workstation domain name, which is used in the following command.
- Type psgetsid domainname**\guest**, and then press ENTER, where domainname is the Workstation domain name in the output from the previous command:
- If this is the first time that you are running psgetsid on this computer, the PsGetSid License Agreement appears. Read the license agreement. If you agree to the terms, click Agree. If you do not agree to the terms, you cannot verify lookup using PsGetSid or continue with the following directions.
- The output from this command displays the SID of the guest account for the domain. This SID starts with S-1-5-21 and ends with -501. The domain guest account SID is used in the following command.
- Type psgetsid dgsid, where dgsid is the domain guest account SID that is displayed by the previous command, and then press ENTER. The output of the command translates the SID to the name of the domain guest account.
- Type hostname, and then press ENTER. The output of the command displays the local computer name, which is used in the following command.
- Type psgetsid hostname \guest, and then press ENTER, where hostname is the name of the local computer that appears after you run the hostname command. The output from this command displays the SID of the guest account for the local computer. The local guest account SID starts with S-1-5-21 and ends with -501. However, it should have a different set of digits between S-1-5-21 and -501 than the domain guest account SID. The local computer guest account SID is used in the following command.
- Type psgetsid lgsid, where lgsid is the local computer guest account SID that is displayed by the command that you ran in the previous step, and then press ENTER. The command output translates the SID to the name of the local computer guest account.
If these commands run without error, the lookup operations are functioning successfully.