Go Back   Tech Support Forum > Microsoft Support > Windows 7 Support, Windows Vista Support

No Users in Local Administrators Group

This is a discussion on No Users in Local Administrators Group within the Windows 7 Support, Windows Vista Support forums, part of the Tech Support Forum category. Hey guys, I've searched around on the internet for a resolution to this problem and the best I've found is


Closed Thread
 
Thread Tools Search this Thread
Old 01-22-2009, 07:16 AM   #1
Registered Member
 
Join Date: Jan 2009
Posts: 5
OS: Vista SP1



Hey guys, I've searched around on the internet for a resolution to this problem and the best I've found is a couple of posts on other forums describing this problem but no solution. The other guys were running Windows 2000 I think, not Vista.

When attempting to view the members of the local administrators group I see
no users at all, even when in the context of the local administrators
account. If I attempt to add an account to the group that I know is in there
already, I receive the following message:

"Username" is already a member of group "Administrators".

I've also tried running a vb script to enumerate the users in local
administrators group and this returns no results. (Can provide the code if required).

I knocked up a C# app that calls NetLocalGroupGetMembers but this returns 87 (ERROR_INVALID_PARAMETER) when the groupname parameter = "administrators". When groupname = "users" the function returns 0 (ERROR_SUCCESS), indicating that it is succesful.

Any ideas how I can resolve this?

__________________
meedax is offline  
Old 01-22-2009, 01:58 PM   #2
Team Manager, Microsoft Support
Microsoft MVP
BSOD Kernel Dump Expert
 
jcgriff2's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2007
Location: BSOD CENTRAL
Posts: 30,369
OS: Windows 8.1, 8 ,7 + Windbg :)



Hi -

Try this & see if it brings names/ additional info out for you:

Bring up an elevated admin cmd/DOS prompt -
START | type cmd.exe into the start search box | right click on cmd.exe | select run as administrator | paste the following in (right-click at top of DOS screen, select Edit, select Paste) -
Code:
whoami /all > %temp%\w1.txt & start notepad %temp%\w1.txt
Regards. . .

jcgriff2

.

jcgriff2 is offline  
Old 01-23-2009, 02:41 AM   #3
Registered Member
 
Join Date: Jan 2009
Posts: 5
OS: Vista SP1



Hi jcgriff2, thanks for the reply.

I gave that a go for a couple of domain accounts that I know to be in the Local Administrators group.

In both cases it listed that they were both a member of the Local Admin group:

Code:
Group Name: BUILTIN\Administrators  
Type: Alias
SID: S-1-5-32-544
Attributes: Mandatory group, Enabled by default, Enabled group, Group owner
So far so good. However, it still doesn't show me all the members of the Local Admin group. Your suggestion did get me thinking, so I tried (from an elevated command prompt):

Code:
net localgroup administrators
which returned:

Code:
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain
System error 87 has occurred.

The parameter is incorrect.
This is the error I received when calling the NetLocalGroupGetMembers API directly - so helps to rule out a coding error on my part.

Incedentaly, the following:

Code:
net localgroup users
worked fine:

Code:
Alias name     users
Comment        Users are prevented from making accidental or intentional system-wide changes and can
 run most applications

Members

-------------------------------------------------------------------------------
ASPNET
debugger
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
Test
XRDS\Domain Users
The command completed successfully.
__________________
meedax is offline  
Old 01-23-2009, 08:57 AM   #4
Registered Member
 
Join Date: Jan 2009
Posts: 5
OS: Vista SP1



I've done some further debugging of the NetLocalGroupGetMembers API and looks like it calls LsarLookupSids2 (translates SIDS into names), which fails - returning C000000D (STATUS_INVALID_PARAMETER in ntstatus.h). This then gets translated to 87 (ERROR_INVALID_PARAMETER in winerror.h) before being returned by NetLocalGroupGetMembers.
__________________
meedax is offline  
Old 01-26-2009, 03:17 AM   #5
Team Manager, Microsoft Support
Microsoft MVP
BSOD Kernel Dump Expert
 
jcgriff2's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2007
Location: BSOD CENTRAL
Posts: 30,369
OS: Windows 8.1, 8 ,7 + Windbg :)



Did you get a listing like this -
Code:
Group Name                           Type             SID          Attributes                                                     
==================================== ================ ============ ===============================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators               Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE             Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group             
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group             
Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group             


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
jcgriff2 is offline  
Old 01-27-2009, 04:23 AM   #6
Registered Member
 
Join Date: Jan 2009
Posts: 5
OS: Vista SP1



I've omitted the domain groups for security purposes, however they were all effectively:

Code:
DOMAIN\GROUP             Group            SID  Mandatory group, Enabled by default, Enabled group
Code:
GROUP INFORMATION
-----------------

Group Name                                           Type             SID                                             Attributes                                                     
==================================================== ================ =============================================== ===============================================================
Everyone                                             Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group             
AlexDev\Debugger Users                               Alias            S-1-5-21-1533202280-930934923-281820185-1009    Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                               Alias            S-1-5-32-544                                    Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                        Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE                             Well-known group S-1-5-4                                         Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users                     Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization                       Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group             
LOCAL                                                Well-known group S-1-2-0                                         Mandatory group, Enabled by default, Enabled group             
[DOMAIN GROUPS OMITTED]
Mandatory Label\High Mandatory Level                 Unknown SID type S-1-16-12288                                    Mandatory group, Enabled by default, Enabled group             


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
I've also carried out a checkdisk including scanning for bad sectors. There were no errors reported.
__________________
meedax is offline  
Old 10-23-2009, 11:44 AM   #7
Registered Member
 
Join Date: Oct 2009
Posts: 1
OS: Vista



Hello,

I am having the exactly the same issue here. Did you get the solution for this ?

Thanks
Paul
__________________
pfrank61 is offline  
Old 10-24-2009, 01:25 AM   #8
Registered Member
 
Join Date: Jan 2009
Posts: 5
OS: Vista SP1



No unfortunately not. I rebuilt the machine in the end.

__________________
meedax is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 03:41 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts