SID Resolution & Profile Issues in Windows + SidTest Utility

One thing I’ve found is that some data migration utilities such as USMT 4.0 fail in certain scenarios. This can cause user backup or restore to fail.

Some scenarios that cause issues:

  • When a user profile registry key has been removed, the relevant user profile folder will not get backed up. This may not be an issue as the user could not logon with that profile in any case. But sometimes bizarre things happen like user has new profile and was accessing data from an old profile via a Desktop Shortcut. (You should never have this state, but yes I’ve seen it. I didn’t do it) Typically not an issue, but something to be aware of.
  • When users have been migrated to a new domain, and username was same in previous and old domain, and the old domain profile still exists on the PC, and no DCs from old domain contactable. In this case USMT will backup data successfully but fail to restore data with an error like this:

[0x000000] Invalid user mapping: username -> S-1-5-21-2653292272-867113950-848626192-1402[gle=0x00000006]

  • When a domain SID cannot be resolved. This can happen when logged on as a local account and the network connection to relevant domain is not connected to machine. Connecting machine to the network will immediately resolve this issue.

To assist identify the root cause of this type of issue I made a simple console .exe, available with C# source code here:

http://www.tiange.com.au/sidtest.zip

Just run the tool and it will report SID resolution and/or profile issues. This can be run as standard user, it does not require admin privilege:

Checking profiles in registry…
SID: S-1-5-18
Profile Path: C:\Windows\system32\config\systemprofile

SID: S-1-5-19
Profile Path: C:\Windows\ServiceProfiles\LocalService
Account Name: NT AUTHORITY\LOCAL SERVICE

SID: S-1-5-20
Profile Path: C:\Windows\ServiceProfiles\NetworkService
Account Name: NT AUTHORITY\NETWORK SERVICE

SID: S-1-5-21-2120034334-471024225-329593862-48939
Profile Path: D:\Users\malcolmm_sup.testname
Account Name: testdomain\malcolmm_Sup

SID: S-1-5-21-2047200006-2327669565-1480420199-14389
Profile Path: D:\Users\malcolmm_sup
Account Name: testdomain\malcolmm_Sup

note: above scenario two user accounts are SAME, but SID is different. Use the SID prefix to find out which is the old domain. I.e. in this case I know it is S-1-5-21-2047200006-2327669565-1480420199. Due to the old domain being decommissioned, but SID history enabled both SIDs are now resolving to the same user account. This causes USMT restore to fail.

SID: S-1-5-21-2120034334-471024225-329593862-74650
Profile Path: D:\Users\malcolmm
Account Name: testdomain\malcolmm

SID: S-1-5-21-2120034334-471024225-329593862-87252
Profile Path: D:\Users\svc_W7soe_mgmt
Account Name: testdomain\svc_w7soe_mgmt

SID: S-1-5-21-3225382612-1001891589-4274512590-1000
Profile Path: D:\Users\desktopadmin
Failed to retrieve username for SID S-1-5-21-3225382612-1001891589-4274512590-1000. Error message: Some or all identity references could not be translated.

SID: S-1-5-21-3225382612-1001891589-4274512590-1052
Profile Path: D:\Users\DesktopAdmin3
Failed to retrieve username for SID S-1-5-21-3225382612-1001891589-4274512590-1052. Error message: Some or all identity references could not be translated.

SID: S-1-5-21-3225382612-1001891589-4274512590-1054
Profile Path: D:\Users\DesktopAdmin3.PC-120560
Account Name: PC-120560\DesktopAdmin3

SID: S-1-5-21-3225382612-1001891589-4274512590-500
Profile Path: D:\Users\Administrator
Account Name: PC-120560\Administrator

SID: S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
Profile Path: D:\Users\DefaultAppPool
Account Name: IIS APPPOOL\DefaultAppPool

Checking profiles folder ‘D:\Users’…
Profile ‘D:\Users\malcolmm.old’ doesnt exist in registry.
Profile ‘D:\Users\malcolmm_Sup.old’ doesnt exist in registry.
Profile ‘D:\Users\TEMP.testdomain’ doesnt exist in registry.

===========================
BROKEN PROFILES ON THIS PC
===========================
Ignoring well known SID ‘S-1-5-18’ Profile ‘C:\Windows\system32\config\systemprofile’
Ignoring well known SID ‘S-1-5-19’ Profile ‘C:\Windows\ServiceProfiles\LocalService’
Ignoring well known SID ‘S-1-5-20’ Profile ‘C:\Windows\ServiceProfiles\NetworkService’

Profile in ‘D:\Users\desktopadmin’ with SID ‘S-1-5-21-3225382612-1001891589-4274512590-1000’ has following issue: Can’t resolve SID to a user name

Profile in ‘D:\Users\DesktopAdmin3’ with SID ‘S-1-5-21-3225382612-1001891589-4274512590-1052’ has following issue: Can’t resolve SID to a user name

Profile in ‘D:\Users\malcolmm.old’ with SID ” has following issue: User profile does not exist in registry

Profile in ‘D:\Users\malcolmm_Sup.old’ with SID ” has following issue: User profile does not exist in registry

Profile in ‘D:\Users\TEMP.testdomain’ with SID ” has following issue: User profile does not exist in registry

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in .NET, USMT and tagged . Bookmark the permalink.

One Response to SID Resolution & Profile Issues in Windows + SidTest Utility

  1. anurag says:

    Hi ,I am facing this issue “Some or all identity references could not be translated”.
    But I can’t download your zip file,it seems it is not available anymore.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s