0

I have the following situation: my security groups of the active directory I'm belonging to are not shown anymore in a "friendly name", but I have just the SID. When I run whoami /groups I see a list of groups, plus a custom group I'm belonging to, which is shown without a name:

Group name                                        Type                 SID                                          
================================================= ==================== =============================================
                                                  Unknown SID type     S-1-5-21-31XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(I just removed the full SID)

By the way, access to services inthe domain that requires me to be part of that group works fine, indicating that I'm currently part of that group, anyhow (correctly).

So, online I'm finding only solutions on how to remove these "orphaned" SIDs, but I'd like to update it with the original name (MYDOMAIN\GroupName), not to delete it. Is there any tool to achieve this?

Edit: to better explain my problem, I started having these problems when I "disconnected" my PC from the domain, and then I restored a previous point to get back the situation.

Nova
  • 103
  • 1
  • 3
  • By the way, I found [this tool: sidtoname](http://joeware.net/freetools/tools/sidtoname/index.htm), that correctly tells me that the SID is related to the group I'm expecting to (`MYDOMAIN\GroupName`). I don't know how to "convince" Windows to restore that name into its records. – Nova Dec 04 '14 at 11:23
  • Do a dcdiag, something is wrong with your AD – yagmoth555 Dec 04 '14 at 12:02
  • dcdiag is returning `Executing the initial configuration: Looking for home server... ***Error: is not a directory server ERROR: can't find home server` – Nova Dec 04 '14 at 13:54
  • Validate that all FSMO role are holded by the DC (NetDOM /query FSMO) – yagmoth555 Dec 04 '14 at 13:58
  • Btw, did you run the command on your computer or on your DC ? As I see MY_PC_NAME. – yagmoth555 Dec 04 '14 at 14:05
  • I run the command on my PC, as I don't have access to the DC server (not as an administrator, at least). My problem is that I "disconnected" my PC from the domain, and then I restored a previous point to get back the situation. Then, I got these problems... how can I re-connect to the domain in a "safe" way?? Thank you very much. – Nova Dec 04 '14 at 14:12
  • PSgetSID have a look at [Sysinternals PsGetSID](https://live.sysinternals.com/psgetsid.exe) – opexxx Apr 15 '19 at 16:31

1 Answers1

2

Please ask an admin to rejoin your PC to the domain to reset the trust relationship, this will most likely resolve the issue.

Your computer account password from the restore point and the one in the AD does not match. See that blog post for furter reading on that process; http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

Reaces
  • 5,547
  • 4
  • 36
  • 46
yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • The fix that you describe will likely work, but what you've described is not a tombstone and is not how it works. – MDMarra Dec 04 '14 at 14:26
  • @mdmarra oh, you are right. will edit to remove that part. I had that word in head, but computer account password is another process – yagmoth555 Dec 04 '14 at 14:31
  • Thank you! This did the trick. What we did is actually to remove the computer from the domain, declaring it as part of a workgroup, and then re-join the domain again – Nova Dec 04 '14 at 18:10
  • @Nova Glad to know it's working ! have a nice day – yagmoth555 Dec 04 '14 at 18:56