Event ID 16406 — Well-Known Account Upgrade
Applies To: Windows Server 2008
.jpg)
When a computer is promoted to become a domain controller, the promotion process recreates the required well-known groups and local groups that are not present when you install Active Directory Domain Services (AD DS) to make a computer a domain controller.
Event Details
| Product: | Windows Operating System |
| ID: | 16406 |
| Source: | SAM |
| Version: | 6.0 |
| Symbolic Name: | SAMMSG_WELL_KNOWN_ACCOUNT_RECREATED |
| Message: | The Security Account Database detected that the well known account %1 does not exist. The account has been recreated. Please reset the password for the account. |
Resolve
Reset the password for a well-known account that was created recently
The Security Accounts Manager (SAM) created a required built-in account that did not exist. Reset the password on this account. The account name is in the Event Viewer event text. Perform the following procedure using a domain member computer with the domain administrative tools installed.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To locate an account and reset the account password:
- Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In the console tree, right-click the object that represents your domain, and then click Find. The Find Users, Contacts, and Groups dialog box opens.
- In Name, type the name of the account that is specified in the event text, and then click Find Now.
- In Search results, right-click the account that requires a password reset, and then click Reset Password. The Reset Password dialog box appears.
- In New Password, type the password, and, in Confirm Password, type the same password again, and then click OK.
- To confirm the password change, click OK.
Verify
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform the following steps using a domain controller in the domain.
To verify that the well-known accounts exist:
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type dsquery * -filter "(objectSID=*)" -limit 44 -attr objectsid distinguishedname > wellknownaccounts.txt, and press ENTER. The first 44 accounts in the directory are copied to a text file.
- Type notepad wellknownaccounts.txt and press ENTER. The file opens in Notepad.
- Check the entries in the list against the following table.
In the following table dSID represents the unique groups of digits that are the domain's security identifier (SID) and dpath represents the actual Lightweight Directory Access Protocol (LDAP) path of the domain. For example, if the domain is named adatum.com, the LDAP path is DC=adatum,DC=com.
Well-known security identifiers and accounts
| objectsid | distinguishedname |
|---|---|
| S-1-5-4 | CN=S-1-5-4,CN=ForeignSecurityPrincipals,dpath |
| S-1-5-9 | CN=S-1-5-9,CN=ForeignSecurityPrincipals,dpath |
| S-1-5-11 | CN=S-1-5-11,CN=ForeignSecurityPrincipals,dpath |
| S-1-5-17 | CN=S-1-5-17,CN=ForeignSecurityPrincipals,dpath |
| S-1-5-32 | CN=Builtin,dpath |
| S-1-5-32-544 | CN=Administrators,CN=Builtin,dpath |
| S-1-5-32-545 | CN=Users,CN=Builtin,dpath |
| S-1-5-32-546 | CN=Guests,CN=Builtin,dpath |
| S-1-5-32-548 | CN=Account Operators,CN=Builtin,dpath |
| S-1-5-32-549 | CN=Server Operators,CN=Builtin,dpath |
| S-1-5-32-550 | CN=Print Operators,CN=Builtin,dpath |
| S-1-5-32-551 | CN=Backup Operators,CN=Builtin,dpath |
| S-1-5-32-552 | CN=Replicator,CN=Builtin,dpath |
| S-1-5-32-554 | CN=Pre-Windows 2000 Compatible Access,CN=Builtin,dpath |
| S-1-5-32-555 | CN=Remote Desktop Users,CN=Builtin,dpath |
| S-1-5-32-556 | CN=Network Configuration Operators,CN=Builtin,dpath |
| S-1-5-32-557 | CN=Incoming Forest Trust Builders,CN=Builtin,dpath |
| S-1-5-32-558 | CN=Performance Monitor Users,CN=Builtin,dpath |
| S-1-5-32-559 | CN=Performance Log Users,CN=Builtin,dpath |
| S-1-5-32-560 | CN=Windows Authorization Access Group,CN=Builtin,dpath |
| S-1-5-32-561 | CN=Terminal Server License Servers,CN=Builtin,dpath |
| S-1-5-32-562 | CN=Distributed COM Users,CN=Builtin,dpath |
| S-1-5-32-568 | CN=IIS_IUSRS,CN=Builtin,dpath |
| S-1-5-32-569 | CN=Cryptographic Operators,CN=Builtin,dpath |
| S-1-5-32-573 | CN=Event Log Readers,CN=Builtin,dpath |
| S-1-5-32-574 | CN=Certificate Service DCOM Access,CN=Builtin,dpath |
| S-1-5-21-dSID | dpath |
| S-1-5-21-dSID-498 | CN=Enterprise Read-only Domain Controllers,CN=Users,dpath |
| S-1-5-21-dSID-500 | CN=Administrator,CN=Users,dpath |
| S-1-5-21-dSID-501 | CN=Guest,CN=Users,dpath |
| S-1-5-21-dSID-502 | CN=krbtgt,CN=Users,dpath |
| S-1-5-21-dSID-512 | CN=Domain Admins,CN=Users,dpath |
| S-1-5-21-dSID-513 | CN=Domain Users,CN=Users,dpath |
| S-1-5-21-dSID-514 | CN=Domain Guests,CN=Users,dpath |
| S-1-5-21-dSID-515 | CN=Domain Computers,CN=Users,dpath |
| S-1-5-21-dSID-516 | CN=Domain Controllers,CN=Users,dpath |
| S-1-5-21-dSID-517 | CN=Cert Publishers,CN=Users,dpath |
| S-1-5-21-dSID-518 | CN=Schema Admins,CN=Users,dpath |
| S-1-5-21-dSID-519 | CN=Enterprise Admins,CN=Users,dpath |
| S-1-5-21-dSID-520 | CN=Group Policy Creator Owners,CN=Users,dpath |
| S-1-5-21-dSID-521 | CN=Read-only Domain Controllers,CN=Users,dpath |
| S-1-5-21-dSID-553 | CN=RAS and IAS Servers,CN=Users,dpath |
| S-1-5-21-dSID-571 | CN=Allowed RODC Password Replication Group,CN=Users,dpath |
| S-1-5-21-dSID-572 | CN=Denied RODC Password Replication Group,CN=Users,dpath |