Event ID 16409 — Well-Known Security Principals Upgrade

Updated: November 25, 2009

Applies To: Windows Server 2008


When a computer is promoted to become a domain controller, the Well-Known Security Principals Upgrade process adds the security principals to the Well-Known Security Principals container in Active Directory Domain Services (AD DS).

Event Details

Product: Windows Operating System
ID: 16409
Source: SAM
Version: 6.0
Message: Active Directory Domain Services failed to add a security principal to well known security principals container. Please have an administrator add this security principal if needed. Security principal name: %1


Add the security principal to the well-known security principal's container

The Security Accounts Manager (SAM) database was not able to add the account (also known as the security principal) that is named in the Event Viewer event text to the Well Known Security Principals group. Make a note of the account name or security identifier (SID), as well as the group to which the account should be added. Restart the computer when you are prompted. After the computer restarts, add the account to the appropriate group. Perform the following procedure using a domain member computer that has domain administrative tools installed.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To add an account to the Well Known Security Principals group:

  1. Open the Active Directory Services Interface Editor (ADSIEdit). To open the ADSIEdit, click Start. In Start Search, type adsiedit.msc, and then press ENTER.
  2. In the console tree, right-click ADSIEdit, and then click Connect to. The Connection Settings dialog box opens.
  3. In the drop-down list under Select a well known Naming Context, click Configuration, and then click OK.
  4. In the console tree, expand the Configuration object, and then double-click the naming context for the configuration.
  5. Right-click CN=WellKnown Security Principals, point to New, and then click Object. The Create Object dialog box opens.
  6. Ensure that the account is selected, and then click Next.
  7. In Value, type the name of the account in the Event Viewer event text, and then click Next.
  8. Click Finished.


To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform the following steps using a domain controller in the domain or administrative workstation that has the ADSI Edit snap-in installed.

To verify that the Well-Known Security Principals container has the appropriate objects:

  1. Open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type adsiedit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the left pane, right-click ADSI Edit, and then click Connect to.
  3. In Connection Settings dialog box, under Connection Point, ensure that Select a well known Naming Context is selected, and then select Configuration as the container.
  4. If you are using a domain controller in the domain that you need to verify, you can leave the Computer section of the dialog box at its default. Otherwise, select Select or type a domain or server, and then type the fully qualified domain name (FQDN) of a domain controller, for example, dc1.adatum.com. Click OK.
  5. In the console pane, expand the Configuration container. Expand the container directly below that, which is named CN=Configuration,DomainLDAP, where DomainLDAP is the Lightweight Directory Access Protocol (LDAP) path of your domain. For example, if your domain name is adatum.com, the LDAP path is DC=adatum,DC=com.
  6. Select the CN=WellKnown Security Principals object in the console pane.
  7. In the results pane, you should see a list of objects representing the Well-Known Security Principals. Use the list below to ensure that all Well-Known Security Principals objects are in the container.

The list of Well-Known Security Principals should include the following objects:

  • CN=Anonymous Logon
  • CN=Authenticated Users
  • CN=Batch
  • CN=Creator Group
  • CN=Creator Owner
  • CN=Dialup
  • CN=Digest Authentication
  • CN=Enterprise Domain Controllers
  • CN=Everyone
  • CN=Interactive
  • CN=Local Service
  • CN=Network
  • CN=Network Service
  • CN=NTLM Authentication
  • CN=Other Organizations
  • CN=Owner Rights
  • CN=Proxy
  • CN=Remote Interactive Logon
  • CN=Restricted
  • CN=SChannel Authentication
  • CN=Self
  • CN=Service
  • CN=System
  • CN=Terminal Server User
  • CN=This Organization

Related Management Information

Well-Known Security Principals Upgrade

Active Directory

Community Additions