Wrong SID for Administrator account

Question

In researching my problem for this question, I discovered that the SID for the account in the domain named "Administrator" account is:
S-1-5-21-2025429265-492894223-1708537768-1124

That's got to be wrong, because real Administrator SID's end in 500. Using the same domain key and looking for SID S-1-5-21-2025429265-492894223-1708537768-500 turns up nothing — the built-in Administrator account just isn't there.

I don't know when or how this happened and I'm still looking, but I'm pretty sure it's been like this long enough that I don't even have a backup I could restore that would address this.

Does anyone have any ideas for how to put it right?

Since the account I'm talking about apparently isn't clear, I mean the account referred to in the 2nd bullet point under the "Causes" heading in this knowledge base article:
http://support.microsoft.com/kb/248079

The Administrator account Well-Known Security Identifier, or SID (the account name can be renamed)

This is what I get for asking questions at 9:30 on a Saturday evening :/ — Joel Coel, Aug 23 '09 at 02:38
Or 1pm on a beautiful Sunday Afternoon if you're in Sydney... so hang on, why am I here then? — Mark Henderson, Aug 23 '09 at 06:08

score 4 · Accepted Answer · answered Aug 23 '09 at 22:44

Hmm... that's decidedly a "not supposed to happen" scenario. The RID 500 Administrator account is stamped with the "isCriticalSystemObject" attribute set to true, and to my knowledge LSASS is supposed to return an ERROR_DS_UNWILLING_TO_PERFORM error (0x80072035) if you were to try and delete it. (I don't have a scratch AD sitting around in any of my VMs right now to give it a shot. Maybe later...)

How are you searching AD, anyway?

From AD Users and Computers, do a "Find" at the root of the domain, choose a "Custom Search" in the "Find" dropdown, go to the "Advanced" tab, and enter the LDAP search filter "(objectSid=S-1-5-21-2025429265-492894223-1708537768-500)". That'll give you a subtree search of the domain from the root of the directory.

If you really have deleted your RID 500 Administrator account somehow I'd stronly consider contacting Microsoft Product Support Services. They can probably have something coded to re-create the account (if they don't already have such a tool). I can't imagine how you managed to delete it anyway, because the only way I could think to do that would be direct interaction with the database through ESE. I really didn't think there was any publicly-exposed API that would let you delete an object marked with "isCriticalSystemObject" set to True, and I don't think you can set it to False on the RID 500 Administrator, either. Hmmm...

You've got an interesting situation there. Let us know what the subtree search above returns.

Zow! I wonder how you managed that. I'd get on the phone w/ PSS. That's utterly strange. Any idea how you think it might've happened? — Evan Anderson, Aug 24 '09 at 02:04
Accepted because "it's not supposed to happen" is the right answer. It ended up being easier to build a new domain. — Joel Coel, Aug 25 '09 at 15:41

score 2 · Answer 2 · answered Aug 23 '09 at 04:46

That looks like a user SID; the only SID which ends in -500 is for the built-in account specifically named Administrator. (By default -- it can be renamed via group policy.)

You're a bit unclear with the phrase 'my Administrator account' -- if you mean your personal domain admin account, what you're seeing is correct. If you mean the account named Administrator, then I'd start checking group policy to find out what's happened to the built-in Administrator account -- perhaps someone has renamed it, then created another account named Administrator?

I mean the built-in account named Administrator whose SID is supposed to end with 500. It's just gone. There is no account with the proper SID and nothing remotely close in the Built-in group in AD Users and Computers. — Joel Coel, Aug 23 '09 at 12:42

Oskar Duveborn · Answer 3 · 2009-08-23T14:59:19.053

Built-in account for what and where? A domain administrator account is not "built-in" as far as I know as it's a domain account - the built-in local administrator on a domain controller is only available in directory services restore mode or if you demote it back to a member server. At least that's my guess, but it may be wrong ^^

Anyhow, if it is gone and it should indeed exist a sid 500 administrator in a domain (beats me, someone else knows I guess ;) have you checked the Deleted Objects if it's been deleted?

score 0 · Answer 4 · answered Aug 23 '09 at 20:28

0

What version of Windows? Vista/2008 and later disable the built-in Administrator account by default. I'm also not sure, from your description, whether you are looking at AD (domain) or SAM (non-domain). You won't find that SID in AD for any domain=joined 2008 machine.

answered Aug 23 '09 at 20:28

dmoisan

447
2
6

Check question I point to in the first link for more details. – Joel Coel Aug 23 '09 at 20:37

Wrong SID for Administrator account

4 Answers4

Linked