RE: strange account in Win2k

["AJ Decker" <aj.decker () temple edu>]

Usually you will see that if for some reason the server cannot refresh the
account information for that particular user. Especially if the accounts are
hosted on a separate machine (domain controller, etc...) Double-check to be
sure that communication between the webserver, and wherever the account host
resides are stable, and try to refresh the screen.

If the account information does not get resolved, then either the original
account has been deleted from the controller, or that account has been
corrupted in some fashion. (I've seen it happen here a number of times.
Usually I deleted an account, and forgot to remove it from some other
machine where it was explicitly given access to some resource.)

All you are seeing there is the fashion that Win2k actually records the
lists of who has access to what.

<======= AJ Decker ======>
<==== System Manager ====>
<=School of Architecture=>
<== Temple University ===>
<==== (215) 204-2270 ====>

| This message was sent |
|  using 100% recycled  |
|       electrons.      |


-----Original Message-----
From: Mark Fagan [mailto:Mark.Fagan () esat com]
Sent: Tuesday, May 28, 2002 11:30 AM
To: incidents () securityfocus com
Subject: strange account in Win2k


While setting additional privileges on a Win2k webserver  I noticed that
certain privileges (logon as batch job, act as part of o/s, logon locally
and network) were applied to a very strange account -
*S-1-5-21-527237240-162531612-725345543-1008 which is not seen as a user
account. Any ideas folks ?



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com