Share via


Event ID 16403 — Well-Known Account Upgrade

Applies To: Windows Server 2008 R2

When a computer is promoted to become a domain controller, the promotion process recreates the required well-known groups and local groups that are not present when you install Active Directory Domain Services (AD DS) to make a computer a domain controller.

Event Details

Product: Windows Operating System
ID: 16403
Source: SAM
Version: 6.0
Symbolic Name: SAMMSG_USER_SETUP_ERROR
Message: The error "%2" occurred when trying to create the well known account %1.

Resolve

Ensure that the account exists and that it has the correct data

The Security Accounts Manager (SAM) was not able to properly upgrade the account that is identified in the Event Viewer event text. The problem may be related to a resource issue during a database read or write operation, or it may be due to a duplicate account name. Determine if the account was created, and configure the account properties as necessary. If the account was not created or if an account name is duplicated, create an account with a unique name for the account that could not be upgraded. Perform the following procedure using the computer that is logging the event to be resolved.

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

Search for the account and verify account properties

To search for the account and verify account properties:

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the console tree, right-click the object that represents your domain, and then click Find. The Find Users, Contacts, and Groups dialog box opens.
  3. In Name, type the account name that is specified in the event text, and then click Find Now:
    • If the account appears in Search results, right-click the account, and then click Properties. Review the account properties to be sure that the account you found represents the account that is named in the event text. Specifically, try to determine that there was not an attempt to create two accounts with the same name.
    • If the account is different from the account that was named in the event text, create an account with a unique name for the account that was named in the event text. Set the properties of the new account to match the properties of the account that is named in the event text.
    • If the account does not appear in Search results, create the account with a unique name and the same user account properties as it had previously.

Create an account using Active Directory Users and Computers

To create an account using Active Directory Users and Computers:

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search type dsa.msc, and then press ENTER.

  2. In the console tree, expand the hierarchy of objects.

  3. Right-click the container in which you want to create the new account, click New, and then click the account type that you want to create (such as Computer, Contact, Group, and User). Fill out all the required fields (and any of the appropriate optional fields) in the dialog box that appears for the specific type of account that you selected.

    If you select an account type of User or InetOrgPerson, an additional dialog box appears. Click Next to go to the next dialog box, and then fill out the appropriate information.

  4. When you have filled out all the appropriate information and you are ready to create the account, click OK.

Verify

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform the following steps using a domain controller in the domain.

To verify that the well-known accounts exist:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type dsquery * -filter "(objectSID=*)" -limit 44 -attr objectsid distinguishedname > wellknownaccounts.txt, and press ENTER. The first 44 accounts in the directory are copied to a text file.
  3. Type notepad wellknownaccounts.txt and press ENTER. The file opens in Notepad.
  4. Check the entries in the list against the following table.

In the following table dSID represents the unique groups of digits that are the domain's security identifier (SID) and dpath represents the actual Lightweight Directory Access Protocol (LDAP) path of the domain. For example, if the domain is named adatum.com, the LDAP path is DC=adatum,DC=com.

Well-known security identifiers and accounts

objectsid distinguishedname 
S-1-5-4 CN=S-1-5-4,CN=ForeignSecurityPrincipals,dpath
S-1-5-9 CN=S-1-5-9,CN=ForeignSecurityPrincipals,dpath
S-1-5-11 CN=S-1-5-11,CN=ForeignSecurityPrincipals,dpath
S-1-5-17 CN=S-1-5-17,CN=ForeignSecurityPrincipals,dpath
S-1-5-32 CN=Builtin,dpath
S-1-5-32-544 CN=Administrators,CN=Builtin,dpath
S-1-5-32-545 CN=Users,CN=Builtin,dpath
S-1-5-32-546 CN=Guests,CN=Builtin,dpath
S-1-5-32-548 CN=Account Operators,CN=Builtin,dpath
S-1-5-32-549 CN=Server Operators,CN=Builtin,dpath
S-1-5-32-550 CN=Print Operators,CN=Builtin,dpath
S-1-5-32-551 CN=Backup Operators,CN=Builtin,dpath
S-1-5-32-552 CN=Replicator,CN=Builtin,dpath
S-1-5-32-554 CN=Pre-Windows 2000 Compatible Access,CN=Builtin,dpath
S-1-5-32-555 CN=Remote Desktop Users,CN=Builtin,dpath
S-1-5-32-556 CN=Network Configuration Operators,CN=Builtin,dpath
S-1-5-32-557 CN=Incoming Forest Trust Builders,CN=Builtin,dpath
S-1-5-32-558 CN=Performance Monitor Users,CN=Builtin,dpath
S-1-5-32-559 CN=Performance Log Users,CN=Builtin,dpath
S-1-5-32-560 CN=Windows Authorization Access Group,CN=Builtin,dpath
S-1-5-32-561 CN=Terminal Server License Servers,CN=Builtin,dpath
S-1-5-32-562 CN=Distributed COM Users,CN=Builtin,dpath
S-1-5-32-568 CN=IIS_IUSRS,CN=Builtin,dpath
S-1-5-32-569 CN=Cryptographic Operators,CN=Builtin,dpath
S-1-5-32-573 CN=Event Log Readers,CN=Builtin,dpath
S-1-5-32-574 CN=Certificate Service DCOM Access,CN=Builtin,dpath
S-1-5-21-dSID dpath
S-1-5-21-dSID-498 CN=Enterprise Read-only Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-500 CN=Administrator,CN=Users,dpath
S-1-5-21-dSID-501 CN=Guest,CN=Users,dpath
S-1-5-21-dSID-502 CN=krbtgt,CN=Users,dpath
S-1-5-21-dSID-512 CN=Domain Admins,CN=Users,dpath
S-1-5-21-dSID-513 CN=Domain Users,CN=Users,dpath
S-1-5-21-dSID-514 CN=Domain Guests,CN=Users,dpath
S-1-5-21-dSID-515 CN=Domain Computers,CN=Users,dpath
S-1-5-21-dSID-516 CN=Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-517 CN=Cert Publishers,CN=Users,dpath
S-1-5-21-dSID-518 CN=Schema Admins,CN=Users,dpath
S-1-5-21-dSID-519 CN=Enterprise Admins,CN=Users,dpath
S-1-5-21-dSID-520 CN=Group Policy Creator Owners,CN=Users,dpath
S-1-5-21-dSID-521 CN=Read-only Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-553 CN=RAS and IAS Servers,CN=Users,dpath
S-1-5-21-dSID-571 CN=Allowed RODC Password Replication Group,CN=Users,dpath
S-1-5-21-dSID-572 CN=Denied RODC Password Replication Group,CN=Users,dpath

Well-Known Account Upgrade

Active Directory