Windows 2000 SP2 local policy settings not stored using SIDs?

From: Eric Domazlicky (edomazlicky@SEMOVM.SEMO.EDU)
Date: 07/30/01

Message-ID:  <>
Date:         Mon, 30 Jul 2001 12:36:16 -0500
From: Eric Domazlicky <edomazlicky@SEMOVM.SEMO.EDU>
Subject:      Windows 2000 SP2 local policy settings not stored using SIDs?

Maybe this is a well-known issue but IMHO it's just lazy programming on
Microsoft's part:

Repeat these steps to reproduce the bug:

1. Log in as a local admin
2. Check your local security policy under "User rights" to make sure
"Everyone" cannot logon locally, by default it can't I think.
3. Rename the local administrators group to something besides
4. Reboot your machine
5. Try to log in as an administrator either Domain or local. You can't
because your local policy setting says "Administrators" may logon locally
but- that group no longer exists (since you renamed it). In other words the
local policy settings aren't stored using SIDs, it's just storing straight
group names - very lazy on the part of Microsoft. Also quite annoying when
you find you can't login to your machine because you changed the name of the
Administrators group.

The only way to log on as an administrator to that workstation is to get the
NTrights.exe file from the W2k resource kit and run it from a remote machine
to grant your renamed Administrators group Log on locally rights.

Eric Domazlicky
Technical Specialist
Southeast Missouri State University
Computer Services

Delivery co-sponsored by Trend Micro, Inc.

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:;=240&UL;=/smex2000