Does anyone out there know anything more about this user SID than google does? (S-1-5-20) I have it in the "Foreign Security Principals" container in my Win2k3 domain and have been getting DCOM errors like this one:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 11/26/2007
Time: 12:10:31 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: <server name>
Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{>>>That's Microsoft WMI Provider Subsystem Host<<<) to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at
I had had a problem where the msiexec app (Add/Rem Programs) among others wouldn't launch at all and found that the RPC service was logging on as this user. I changed it to Local System Account and just about everything was magically working again. I still have a mess in DCOMCNFG with other apps that are trying to run under NT AUTHORITY\NETWORK SERVICE and aren't doing too well.
>Should this object be under foreign security principals?
>Has anyone else had any similiar issues with integral apps failing due to this logon?
>In your opinion, is there a chance that S-1-5-20 has been corrupted or taken over by malware of some sort?
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 11/26/2007
Time: 12:10:31 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: <server name>
Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{>>>That's Microsoft WMI Provider Subsystem Host<<<) to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at
I had had a problem where the msiexec app (Add/Rem Programs) among others wouldn't launch at all and found that the RPC service was logging on as this user. I changed it to Local System Account and just about everything was magically working again. I still have a mess in DCOMCNFG with other apps that are trying to run under NT AUTHORITY\NETWORK SERVICE and aren't doing too well.
>Should this object be under foreign security principals?
>Has anyone else had any similiar issues with integral apps failing due to this logon?
>In your opinion, is there a chance that S-1-5-20 has been corrupted or taken over by malware of some sort?
