RE: IUSR_ (Server A) -> Account Unknown (Server B) problem

Dear Customer,

Thanks for your posting here.

After viewing your post, my understanding is as following:

After you move the data from a old Windows Server 2003 computer to a new
one, you noticed that the previous IUSR_ServerName account is displayed as
"Account Unknown (S-1-5-21...)".

Your concern is that if there is a more simply way to configure folders and
files' permissions on your new server according to your old Windows 2003
server instead of modifying
them one by one.

If there is any misunderstanding, please let me know.

Analysis:
==========

It is the expected behavior that "Account Unknown (S-1-5-21...)" but not
the user name is displayed. Also, I am sorry to say that you may still need
to adjust the permissions manually. Please allow me to explain why it
happens first.

1. Each user account has a unique SID. In this case, the two
IUSR_ServerName accounts are different user accounts because they have
different SIDs, although their display names are the same.

2. The string of "S-1-5-21..." is the SID of the previous IUSR_ServerName
account. The new IUSR_ServerName account on the newly installed system
should have a different SID.

3. The NTFS authorization is based on ACL (Access Control List) as we know.
ACL includes many ACEs (Access Control Entry) to realize authorization,
which mainly consists of SID (Security Identifier) and specific permissions
that user or system has. Please note that SIDs but not the user display
names are used here.

4. Why in most cases we see the user accounts' friendly display names but
not their SIDs directly when viewing the NTFS permissions? This is because
Windows system "translates" the SIDs to their corresponding user account
names.

5. In this issue, the newly installed system does not know the old SID, and
cannot translate it to its account name. As a result, "Account Unknown
(S-1-5-21...)" is displayed.

Therefore, it is the expected behavior.

Also, I am sorry to say that we still need to manually adjust settings
(delete the "Account Unknown (S-1-5-21...)" items and assign the new
IUSR_ServerName account with necessary permissions)>

Hope this helps. Thanks!

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->From: "dhomas trenn" <fake@xxxxxxxxxxxx>
--->Subject: IUSR_ (Server A) -> Account Unknown (Server B) problem
--->Date: Tue, 18 Dec 2007 12:29:01 -0400
--->Lines: 22
--->X-Priority: 3
--->X-MSMail-Priority: Normal
--->X-Newsreader: Microsoft Outlook Express 6.00.2800.1914
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914
--->Message-ID: <ejOTkMZQIHA.5164@xxxxxxxxxxxxxxxxxxxx>
--->Newsgroups: microsoft.public.windows.server.migration
--->NNTP-Posting-Host: fredo.youngmonkey.ca 198.164.249.133
--->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.migration:2689
--->X-Tomcat-NG: microsoft.public.windows.server.migration
--->
--->I'm migrating from one Windows 2003 Server that is near death, to
another
--->one. I've managed to resolve most everything int ransfering data except
one
--->thing. When copying the folder/file structure for to the new server, I
am
--->getting errors with permissions from IIS Web Service Extensions. When I
look
--->at the permissions on the old server, I see the user
IUSR_ServerName.... but
--->on the new server where the folders/files have been copied to, it
indicates
--->"Account Unknown(S-1-5-21...)" instead of IUSR_ServerName. To save me
from
--->having to set the permissions on way too many folders/files, is there a
--->simple way to resolve this on the new server? Note that I have set up
the
--->new server identical to the old server, so it has the exact same
ServerName,
--->and the files are in identical places (C:\...) which hopefully will
simply
--->things.
--->
--->
--->--
--->
--->dhomas trenn
--->founder, creative interpreter - young monkey
--->---------------------------------------------------------------
--->http://www.youngmonkey.ca/
--->
--->
--->

.

Relevant Pages

  • RE: Data migration without trusts
    ... Each user account has a unique SID, and the NTFS authorization is based ... which mainly consists of SID ... not their SIDs directly when viewing the NTFS permissions? ... In addition, as for user profile, the USFT (User State Migration Tool) is ...
    (microsoft.public.windows.server.migration)
  • Re: Exchange 2003 full mailbox permissions
    ... "Using KB article 821897 "How to Assign Service Account Access to All ... to give my user account every available permission (i.e. all except ... "Special Permissions", which is greyed out) on the mailbox store ...
    (microsoft.public.exchange.admin)
  • Re: How to view all files/folders denied to a particular User?
    ... account called Visitor, ... tightly defined access permissions is precisely what I was doing. ... This account has access to most files and folders, ... a user account and get a list of files denied. ...
    (microsoft.public.windowsxp.general)
  • Re: Windows Service Account
    ... you can use the find IIDentity to the user to give folder permissions ... The OP does not need to find which user account is running the Windows ... Local System account has mighty ...
    (microsoft.public.dotnet.general)
  • Re: Permissions resetting in Blocked Inheritance OUs
    ... Some SIDs can not be resolved on workstations such as Server Operators and Account Operators because they only have existence on the DCs. ... Now the odd SID is probably a weird ACE on the adminSDHolder object, read up on that and this will probably make more sense. ... If i leave the account for a little while and go back to it the PA's account has been replaced with an unrecognised account with just a SID and different permissions. ... I have tested with other accounts and it only seems to affect accounts that are in OU's that have blocked inheritance set in Group Policy. ...
    (microsoft.public.windows.server.active_directory)