Share via

Event ID 12305 — Well-Known Account Upgrade

Applies To: Windows Server 2008

When a computer is promoted to become a domain controller, the promotion process recreates the required well-known groups and local groups that are not present when you install Active Directory Domain Services (AD DS) to make a computer a domain controller.

Event Details

Product: Windows Operating System
ID: 12305
Source: SAM
Version: 6.0
Message: An error occured while creating new default accounts for this domain. This may be due to a transient error condition. The task will retry periodically until success and will log this message again in a week if the problem persists.


Check event logs in an hour to see if the problem persists

The Security Accounts Manager (SAM) was not able to create a well-known account as a result of a computer resource error. The account name and resource error are in the Event Viewer event text. The SAM will attempt to create the account again in about an hour. If this error is reported a second time, review other entries in Event Viewer that may explain the resource issue, and then resolve the issue appropriately.


To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform the following steps using a domain controller in the domain.

To verify that the well-known accounts exist:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type dsquery * -filter "(objectSID=*)" -limit 44 -attr objectsid distinguishedname > wellknownaccounts.txt, and press ENTER. The first 44 accounts in the directory are copied to a text file.
  3. Type notepad wellknownaccounts.txt and press ENTER. The file opens in Notepad.
  4. Check the entries in the list against the following table.

In the following table dSID represents the unique groups of digits that are the domain's security identifier (SID) and dpath represents the actual Lightweight Directory Access Protocol (LDAP) path of the domain. For example, if the domain is named, the LDAP path is DC=adatum,DC=com.

Well-known security identifiers and accounts

objectsid distinguishedname 
S-1-5-4 CN=S-1-5-4,CN=ForeignSecurityPrincipals,dpath
S-1-5-9 CN=S-1-5-9,CN=ForeignSecurityPrincipals,dpath
S-1-5-11 CN=S-1-5-11,CN=ForeignSecurityPrincipals,dpath
S-1-5-17 CN=S-1-5-17,CN=ForeignSecurityPrincipals,dpath
S-1-5-32 CN=Builtin,dpath
S-1-5-32-544 CN=Administrators,CN=Builtin,dpath
S-1-5-32-545 CN=Users,CN=Builtin,dpath
S-1-5-32-546 CN=Guests,CN=Builtin,dpath
S-1-5-32-548 CN=Account Operators,CN=Builtin,dpath
S-1-5-32-549 CN=Server Operators,CN=Builtin,dpath
S-1-5-32-550 CN=Print Operators,CN=Builtin,dpath
S-1-5-32-551 CN=Backup Operators,CN=Builtin,dpath
S-1-5-32-552 CN=Replicator,CN=Builtin,dpath
S-1-5-32-554 CN=Pre-Windows 2000 Compatible Access,CN=Builtin,dpath
S-1-5-32-555 CN=Remote Desktop Users,CN=Builtin,dpath
S-1-5-32-556 CN=Network Configuration Operators,CN=Builtin,dpath
S-1-5-32-557 CN=Incoming Forest Trust Builders,CN=Builtin,dpath
S-1-5-32-558 CN=Performance Monitor Users,CN=Builtin,dpath
S-1-5-32-559 CN=Performance Log Users,CN=Builtin,dpath
S-1-5-32-560 CN=Windows Authorization Access Group,CN=Builtin,dpath
S-1-5-32-561 CN=Terminal Server License Servers,CN=Builtin,dpath
S-1-5-32-562 CN=Distributed COM Users,CN=Builtin,dpath
S-1-5-32-568 CN=IIS_IUSRS,CN=Builtin,dpath
S-1-5-32-569 CN=Cryptographic Operators,CN=Builtin,dpath
S-1-5-32-573 CN=Event Log Readers,CN=Builtin,dpath
S-1-5-32-574 CN=Certificate Service DCOM Access,CN=Builtin,dpath
S-1-5-21-dSID dpath
S-1-5-21-dSID-498 CN=Enterprise Read-only Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-500 CN=Administrator,CN=Users,dpath
S-1-5-21-dSID-501 CN=Guest,CN=Users,dpath
S-1-5-21-dSID-502 CN=krbtgt,CN=Users,dpath
S-1-5-21-dSID-512 CN=Domain Admins,CN=Users,dpath
S-1-5-21-dSID-513 CN=Domain Users,CN=Users,dpath
S-1-5-21-dSID-514 CN=Domain Guests,CN=Users,dpath
S-1-5-21-dSID-515 CN=Domain Computers,CN=Users,dpath
S-1-5-21-dSID-516 CN=Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-517 CN=Cert Publishers,CN=Users,dpath
S-1-5-21-dSID-518 CN=Schema Admins,CN=Users,dpath
S-1-5-21-dSID-519 CN=Enterprise Admins,CN=Users,dpath
S-1-5-21-dSID-520 CN=Group Policy Creator Owners,CN=Users,dpath
S-1-5-21-dSID-521 CN=Read-only Domain Controllers,CN=Users,dpath
S-1-5-21-dSID-553 CN=RAS and IAS Servers,CN=Users,dpath
S-1-5-21-dSID-571 CN=Allowed RODC Password Replication Group,CN=Users,dpath
S-1-5-21-dSID-572 CN=Denied RODC Password Replication Group,CN=Users,dpath

Well-Known Account Upgrade

Active Directory