Event ID 16935 — Security Configuration

Updated: November 25, 2009

Applies To: Windows Server 2008 R2

red

The Security Accounts Manager (SAM) is a service that is used during the logon process. The SAM maintains user account information, including groups to which a user belongs. The SAM is attempting to secure the computer accounts by removing the default Full Control permissions, which are assigned to the Builtin Account Operators group, from the access control entry (ACE) of a computer account.

Event Details

Product: Windows Operating System
ID: 16935
Source: SAM
Version: 6.0
Symbolic Name: SAMMSG_FAILED_MACHINE_ACCOUNT_SECURE
Message: Failed to secure the machine account %1. Have an administrator remove full control for the builtin\account operators access control entry from the security descriptor of this object.

Resolve

Remove the ACE from the security descriptor

The system failed to update the security descriptor on the computer account that is named in the Event Viewer event message text. Ensure that the Builtin Account Operators group does not appear on the access control entry (ACE) of the computer account. Perform the following procedure using a domain member computer that has domain administrative tools installed.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To manually secure a computer account:

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. On the View menu, ensure that Advanced Features is enabled. If this command is enabled, there is a check mark in the menu next to Advanced Features. If this command is not enabled, click Advanced Features. When you enable Advanced Features, you can see the Security tab in the properties of objects in Active Directory Users and Computers.
  3. Right-click the object that represents your domain, and then click Find.
  4. In the Find Users, Contacts, and Groups dialog box, in Find, click Computers. This changes the dialog box name to Find Computers.
  5. On the Computers tab, in Computer name, type the name of the computer, and then click Find Now. The computer object that you want to modify should appear in the search results.
  6. Right-click the object that represents the computer account, and then click Properties.
  7. On the Security tab of computernameProperties, look for the Account Operators group in the list of users and groups. If you find Account Operators, click the group, click Remove, and then click OK.

Verify

The Security Accounts Manager (SAM) secures computer accounts by removing the default Full Control permissions, which are assigned to the Builtin Account Operators group, from the access control entry (ACE) of a computer account. Perform the following procedure using a domain member computer that has domain administrative tools installed.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To verify that the SAM secured a computer account successfully:

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. On the View menu, ensure that Advanced Features is enabled. If this command is enabled, there is a check mark in the menu next to Advanced Features. If this command is not enabled, click Advanced Features. When you enable Advanced Features, you can see the Security tab in the properties of objects in Active Directory Users and Computers.
  3. Right-click the object that represents your domain, and then click Find.
  4. In the Find Users, Contacts, and Groups dialog box, in Find, click Computers. This changes the dialog box name to Find Computers.
  5. On the Computers tab, in Computer name, type the name of the computer, and then click Find Now. The computer object that you want to modify should appear in the search results.
  6. Right-click the object that represents the computer account, and then click Properties.
  7. On the Security tab of computername Properties, verify that the Account Operators group does not appear in the list of users and groups.

Related Management Information

Security Configuration

Active Directory

Community Additions

ADD
Show: