| 1 | Security Accounts Manager |
Security Accounts Manager |
| 2 | The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled. |
The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled. |
| 0x2000 | Administrator |
Administrator |
| 0x2001 | Guest |
Guest |
| 0x2002 | Domain Admins |
Domain Admins |
| 0x2003 | Domain Users |
Domain Users |
| 0x2004 | None |
None |
| 0x2005 | Administrators |
Administrators |
| 0x2006 | Server Operators |
Server Operators |
| 0x2007 | Power Users |
Power Users |
| 0x2008 | Users |
Users |
| 0x2009 | Guests |
Guests |
| 0x200A | Account Operators |
Account Operators |
| 0x200B | Print Operators |
Print Operators |
| 0x200C | Backup Operators |
Backup Operators |
| 0x200D | Replicator |
Replicator |
| 0x200E | Domain Guests |
Domain Guests |
| 0x200F | $AccountNameConflict%1 |
$AccountNameConflict%1 |
| 0x2010 | krbtgt |
krbtgt |
| 0x2011 | Domain Computers |
Domain Computers |
| 0x2012 | Domain Controllers |
Domain Controllers |
| 0x2013 | Schema Admins |
Schema Admins |
| 0x2014 | Cert Publishers |
Cert Publishers |
| 0x2015 | Enterprise Admins |
Enterprise Admins |
| 0x2016 | RAS and IAS Servers |
RAS and IAS Servers |
| 0x2017 | Group Policy Creator Owners |
Group Policy Creator Owners |
| 0x2018 | Pre-Windows 2000 Compatible Access |
Pre-Windows 2000 Compatible Access |
| 0x2019 | Everyone |
Everyone |
| 0x201A | Remote Desktop Users |
Remote Desktop Users |
| 0x201C | Anonymous Logon |
Anonymous Logon |
| 0x201D | Network Configuration Operators |
Network Configuration Operators |
| 0x201E | Incoming Forest Trust Builders |
Incoming Forest Trust Builders |
| 0x201F | Performance Monitor Users |
Performance Monitor Users |
| 0x2020 | Performance Log Users |
Performance Log Users |
| 0x2021 | Windows Authorization Access Group |
Windows Authorization Access Group |
| 0x2022 | Network Service |
Network Service |
| 0x2023 | Enterprise Domain Controllers |
Enterprise Domain Controllers |
| 0x2024 | Terminal Server License Servers |
Terminal Server License Servers |
| 0x2025 | Trusted Installers |
Trusted Installers |
| 0x2026 | Distributed COM Users |
Distributed COM Users |
| 0x2027 | IIS_IUSRS |
IIS_IUSRS |
| 0x202A | Cryptographic Operators |
Cryptographic Operators |
| 0x202B | INTERNET USER |
INTERNET USER |
| 0x202D | Allowed RODC Password Replication Group |
Allowed RODC Password Replication Group |
| 0x202E | Denied RODC Password Replication Group |
Denied RODC Password Replication Group |
| 0x202F | Read-only Domain Controllers |
Read-only Domain Controllers |
| 0x2030 | Enterprise Read-only Domain Controllers |
Enterprise Read-only Domain Controllers |
| 0x2031 | Event Log Readers |
Event Log Readers |
| 0x2032 | Certificate Service DCOM Access |
Certificate Service DCOM Access |
| 0x2033 | RDS Remote Access Servers |
RDS Remote Access Servers |
| 0x2034 | RDS Endpoint Servers |
RDS Endpoint Servers |
| 0x2035 | RDS Management Servers |
RDS Management Servers |
| 0x2036 | Hyper-V Administrators |
Hyper-V Administrators |
| 0x2037 | Cloneable Domain Controllers |
Cloneable Domain Controllers |
| 0x2038 | Access Control Assistance Operators |
Access Control Assistance Operators |
| 0x2039 | Remote Management Users |
Remote Management Users |
| 0x203A | DefaultAccount |
DefaultAccount |
| 0x203B | System Managed Accounts Group |
System Managed Accounts Group |
| 0x2100 | Built-in account for administering the computer/domain |
Built-in account for administering the computer/domain |
| 0x2101 | Built-in account for guest access to the computer/domain |
Built-in account for guest access to the computer/domain |
| 0x2102 | Designated administrators of the domain |
Designated administrators of the domain |
| 0x2103 | All domain users |
All domain users |
| 0x2104 | Ordinary users |
Ordinary users |
| 0x2105 | Administrators have complete and unrestricted access to the computer/domain |
Administrators have complete and unrestricted access to the computer/domain |
| 0x2106 | Members can administer domain servers |
Members can administer domain servers |
| 0x2107 | Power Users are included for backwards compatibility and possess limited administrative powers |
Power Users are included for backwards compatibility and possess limited administrative powers |
| 0x2108 | Users are prevented from making accidental or intentional system-wide changes and can run most applications |
Users are prevented from making accidental or intentional system-wide changes and can run most applications |
| 0x2109 | Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted |
Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted |
| 0x210A | Members can administer domain user and group accounts |
Members can administer domain user and group accounts |
| 0x210B | Members can administer printers installed on domain controllers |
Members can administer printers installed on domain controllers |
| 0x210C | Backup Operators can override security restrictions for the sole purpose of backing up or restoring files |
Backup Operators can override security restrictions for the sole purpose of backing up or restoring files |
| 0x210D | Supports file replication in a domain |
Supports file replication in a domain |
| 0x210E | All domain guests |
All domain guests |
| 0x210F | Key Distribution Center Service Account |
Key Distribution Center Service Account |
| 0x2110 | All workstations and servers joined to the domain |
All workstations and servers joined to the domain |
| 0x2111 | All domain controllers in the domain |
All domain controllers in the domain |
| 0x2112 | Designated administrators of the schema |
Designated administrators of the schema |
| 0x2113 | Members of this group are permitted to publish certificates to the directory |
Members of this group are permitted to publish certificates to the directory |
| 0x2114 | Designated administrators of the enterprise |
Designated administrators of the enterprise |
| 0x2115 | Servers in this group can access remote access properties of users |
Servers in this group can access remote access properties of users |
| 0x2116 | Members in this group can modify group policy for the domain |
Members in this group can modify group policy for the domain |
| 0x2117 | A backward compatibility group which allows read access on all users and groups in the domain |
A backward compatibility group which allows read access on all users and groups in the domain |
| 0x2118 | Members in this group are granted the right to logon remotely |
Members in this group are granted the right to logon remotely |
| 0x2119 | Administrators have complete and unrestricted access to the computer |
Administrators have complete and unrestricted access to the computer |
| 0x211A | Members in this group can have some administrative privileges to manage configuration of networking features |
Members in this group can have some administrative privileges to manage configuration of networking features |
| 0x211B | Members of this group can create incoming, one-way trusts to this forest |
Members of this group can create incoming, one-way trusts to this forest |
| 0x211C | Members of this group can access performance counter data locally and remotely |
Members of this group can access performance counter data locally and remotely |
| 0x211D | Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer |
Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer |
| 0x211E | Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects |
Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects |
| 0x211F | Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage |
Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage |
| 0x2120 | Members in this group are granted the right to install software |
Members in this group are granted the right to install software |
| 0x2121 | Members are allowed to launch, activate and use Distributed COM objects on this machine. |
Members are allowed to launch, activate and use Distributed COM objects on this machine. |
| 0x2122 | Built-in group used by Internet Information Services. |
Built-in group used by Internet Information Services. |
| 0x2125 | Members are authorized to perform cryptographic operations. |
Members are authorized to perform cryptographic operations. |
| 0x2127 | Members in this group can have their passwords replicated to all read-only domain controllers in the domain |
Members in this group can have their passwords replicated to all read-only domain controllers in the domain |
| 0x2128 | Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain |
Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain |
| 0x2129 | Members of this group are Read-Only Domain Controllers in the domain |
Members of this group are Read-Only Domain Controllers in the domain |
| 0x212A | Members of this group can read event logs from local machine |
Members of this group can read event logs from local machine |
| 0x212B | Members of this group are Read-Only Domain Controllers in the enterprise |
Members of this group are Read-Only Domain Controllers in the enterprise |
| 0x212C | Members of this group are allowed to connect to Certification Authorities in the enterprise |
Members of this group are allowed to connect to Certification Authorities in the enterprise |
| 0x212D | Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group. |
Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group. |
| 0x212F | Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. |
Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. |
| 0x2130 | Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. |
Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. |
| 0x2131 | Members of this group have complete and unrestricted access to all features of Hyper-V. |
Members of this group have complete and unrestricted access to all features of Hyper-V. |
| 0x2132 | Members of this group that are domain controllers may be cloned. |
Members of this group that are domain controllers may be cloned. |
| 0x2133 | Members of this group can remotely query authorization attributes and permissions for resources on this computer. |
Members of this group can remotely query authorization attributes and permissions for resources on this computer. |
| 0x2134 | Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. |
Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. |
| 0x2135 | Protected Users |
Protected Users |
| 0x2136 | Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information. |
Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information. |
| 0x2137 | A user account managed by the system. |
A user account managed by the system. |
| 0x2138 | Members of this group are managed by the system. |
Members of this group are managed by the system. |
| 0x2139 | Storage Replica Administrators |
Storage Replica Administrators |
| 0x213A | Members of this group have complete and unrestricted access to all features of Storage Replica. |
Members of this group have complete and unrestricted access to all features of Storage Replica. |
| 0x213B | Key Admins |
Key Admins |
| 0x213C | Members of this group can perform administrative actions on key objects within the domain. |
Members of this group can perform administrative actions on key objects within the domain. |
| 0x213D | Enterprise Key Admins |
Enterprise Key Admins |
| 0x213E | Members of this group can perform administrative actions on key objects within the forest. |
Members of this group can perform administrative actions on key objects within the forest. |
| 0x00003000 | SAM failed to write changes to the database. This is most likely due to a memory or disk-space shortage. The SAM database will be restored to an earlier state. Recent changes will be lost. Check the disk-space available and maximum pagefile size setting. |
SAM failed to write changes to the database. This is most likely due to a memory or disk-space shortage. The SAM database will be restored to an earlier state. Recent changes will be lost. Check the disk-space available and maximum pagefile size setting. |
| 0x00003001 | SAM failed to restore the database to an earlier state. SAM has shutdown. You must reboot the machine to re-enable SAM. |
SAM failed to restore the database to an earlier state. SAM has shutdown. You must reboot the machine to re-enable SAM. |
| 0x00003003 | SAM failed to start the TCP/IP or SPX/IPX listening thread |
SAM failed to start the TCP/IP or SPX/IPX listening thread |
| 0x00003005 | There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is %1. All duplicate accounts have been deleted. Check the event log for additional duplicates. |
There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is %1. All duplicate accounts have been deleted. Check the event log for additional duplicates. |
| 0x00003006 | The SAM database was unable to lockout the account of %1 due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above. |
The SAM database was unable to lockout the account of %1 due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above. |
| 0x00003007 | The SAM database attempted to delete the file %1 as it contains account information that is no longer used. The error is in the record data. Please have an administrator delete this file. |
The SAM database attempted to delete the file %1 as it contains account information that is no longer used. The error is in the record data. Please have an administrator delete this file. |
| 0x00003008 | The SAM database attempted to clear the directory %1 in order to remove files that were once used by the Directory Service. The error is in record data. Please have an admin delete these files. |
The SAM database attempted to clear the directory %1 in order to remove files that were once used by the Directory Service. The error is in record data. Please have an admin delete these files. |
| 0x00003009 | %1 is now the primary domain controller for the domain. |
%1 is now the primary domain controller for the domain. |
| 0x0000300A | The account %1 cannot be converted to be a domain controller account as its object class attribute in the directory is not computer or is not derived from computer. If this is caused by an attempt to install a pre Windows 2000 domain controller in a Windows 2000 domain or later, then you should pre-create the account for the domain controller with the correct object class. |
The account %1 cannot be converted to be a domain controller account as its object class attribute in the directory is not computer or is not derived from computer. If this is caused by an attempt to install a pre Windows 2000 domain controller in a Windows 2000 domain or later, then you should pre-create the account for the domain controller with the correct object class. |
| 0x0000300B | The attempt to check whether group caching has been enabled in the Security Accounts Manager has failed, most likely due to lack of resources. This task has been rescheduled to run in one minute. |
The attempt to check whether group caching has been enabled in the Security Accounts Manager has failed, most likely due to lack of resources. This task has been rescheduled to run in one minute. |
| 0x0000300C | The group caching option in the Security Accounts Manager has now been properly updated. Group caching is enabled. |
The group caching option in the Security Accounts Manager has now been properly updated. Group caching is enabled. |
| 0x0000300D | The group caching option in the Security Accounts Manager has now been properly updated. Group caching is disabled. |
The group caching option in the Security Accounts Manager has now been properly updated. Group caching is disabled. |
| 0x0000300E | The %1 package failed to update additional credentials for user %2. The error code is in the data of the event log message. |
The %1 package failed to update additional credentials for user %2. The error code is in the data of the event log message. |
| 0x0000300F | There are two or more well known objects that have the same SID attribute in the SAM database. The Distinguished Name of the duplicate account is %1. The newest account will be kept, all older duplicate accounts have been deleted. Check the event log for additional duplicates. |
There are two or more well known objects that have the same SID attribute in the SAM database. The Distinguished Name of the duplicate account is %1. The newest account will be kept, all older duplicate accounts have been deleted. Check the event log for additional duplicates. |
| 0x00003010 | There are two or more objects that have the same account name attribute in the SAM database. The system has automatically renamed object %1 to a system assigned account name %2. |
There are two or more objects that have the same account name attribute in the SAM database. The system has automatically renamed object %1 to a system assigned account name %2. |
| 0x00003011 | An error occurred while creating new default accounts for this domain. This maybe due to a transient error condition. The task will retry periodically until success and will log this message again in a week if the problem persists. |
An error occurred while creating new default accounts for this domain. This maybe due to a transient error condition. The task will retry periodically until success and will log this message again in a week if the problem persists. |
| 0x00004000 | The account %1 could not be upgraded since there is an account with an equivalent name. |
The account %1 could not be upgraded since there is an account with an equivalent name. |
| 0x00004001 | An error occurred upgrading user %1. This account will have to be added manually upon reboot. |
An error occurred upgrading user %1. This account will have to be added manually upon reboot. |
| 0x00004002 | An error occurred trying to read a user object from the old database. |
An error occurred trying to read a user object from the old database. |
| 0x00004003 | An error occurred upgrading alias %1. This account will have to be added manually upon reboot. |
An error occurred upgrading alias %1. This account will have to be added manually upon reboot. |
| 0x00004004 | An error occurred trying to read an alias object from the old database. |
An error occurred trying to read an alias object from the old database. |
| 0x00004005 | An error occurred upgrading group %1. This account will have to be added manually upon reboot. |
An error occurred upgrading group %1. This account will have to be added manually upon reboot. |
| 0x00004006 | An error occurred trying to read a group object from the old database. |
An error occurred trying to read a group object from the old database. |
| 0x00004007 | An error occurred trying to add account %1 to alias %2. This account will have to be added manually upon reboot. |
An error occurred trying to add account %1 to alias %2. This account will have to be added manually upon reboot. |
| 0x00004008 | The account with the sid %1 could not be added to group %2. |
The account with the sid %1 could not be added to group %2. |
| 0x00004009 | An error occurred trying to add account %1 to group %2. This account will have to be added manually upon reboot. |
An error occurred trying to add account %1 to group %2. This account will have to be added manually upon reboot. |
| 0x0000400A | The account with the rid %1 could not be added to group %2. |
The account with the rid %1 could not be added to group %2. |
| 0x0000400B | A fatal error occurred trying to transfer the SAM account database into the directory service. A possible reason is the SAM account database is corrupt. |
A fatal error occurred trying to transfer the SAM account database into the directory service. A possible reason is the SAM account database is corrupt. |
| 0x0000400C | The account krbtgt was renamed to %1 to allow the Kerberos security package to install. |
The account krbtgt was renamed to %1 to allow the Kerberos security package to install. |
| 0x0000400E | An error occurred trying to upgrade a SAM user's User_Parameters attribute. The following Notification Package DLL might be the possible offender: %1. Check the record data of this event for the NT error code. |
An error occurred trying to upgrade a SAM user's User_Parameters attribute. The following Notification Package DLL might be the possible offender: %1. Check the record data of this event for the NT error code. |
| 0x0000400F | An error occured trying to set User Parameters attribute for this user This operation is failed. Check the record data of this event for the NT error code. |
An error occured trying to set User Parameters attribute for this user This operation is failed. Check the record data of this event for the NT error code. |
| 0x00004010 | An error occured trying to upgrade the following SAM User Object - %1. We will try to continue upgrading this user. But it might contain inconsistent data. Check the record data of this event for the NT error code. |
An error occured trying to upgrade the following SAM User Object - %1. We will try to continue upgrading this user. But it might contain inconsistent data. Check the record data of this event for the NT error code. |
| 0x00004011 | An error occurred when trying to add the account %1 to the group %2. The problem, \"%3\", occurred when trying to open the group. Please add the account manually. |
An error occurred when trying to add the account %1 to the group %2. The problem, \"%3\", occurred when trying to open the group. Please add the account manually. |
| 0x00004012 | An error occurred when trying to add the account %1 to the group %2. The problem, \"%3\", occurred when trying to add the account to the group. Please add the account manually. |
An error occurred when trying to add the account %1 to the group %2. The problem, \"%3\", occurred when trying to add the account to the group. Please add the account manually. |
| 0x00004013 | The error \"%2\" occurred when trying to create the well known account %1. Please contact PSS to recover. |
The error \"%2\" occurred when trying to create the well known account %1. Please contact PSS to recover. |
| 0x00004015 | During the installation of the Directory Service, this server's machine account was deleted hence preventing this Domain Controller from starting up. |
During the installation of the Directory Service, this server's machine account was deleted hence preventing this Domain Controller from starting up. |
| 0x00004016 | The Security Account Database detected that the well known account %1 does not exist. The account has been recreated. Please reset the password for the account. |
The Security Account Database detected that the well known account %1 does not exist. The account has been recreated. Please reset the password for the account. |
| 0x00004017 | The Security Account Database detected that the well known group or local group %1 does not exist. The group has been recreated. |
The Security Account Database detected that the well known group or local group %1 does not exist. The group has been recreated. |
| 0x00004018 | Domain operation mode has been changed to Native Mode. The change cannot be reversed. |
Domain operation mode has been changed to Native Mode. The change cannot be reversed. |
| 0x00004019 | Active Directory Domain Services failed to add a security principal to well known security principals container. Please have an administrator add this security principal if needed. Security principal name: %1 |
Active Directory Domain Services failed to add a security principal to well known security principals container. Please have an administrator add this security principal if needed. Security principal name: %1 |
| 0x0000401A | Active Directory Domain Services failed to add all of the new security principals to well known security principals container. Please have an administrator add these security principals if needed. |
Active Directory Domain Services failed to add all of the new security principals to well known security principals container. Please have an administrator add these security principals if needed. |
| 0x0000401B | Active Directory Domain Services failed to rename a security principal in well known security principals container. Please have an administrator rename this security principal if needed. Security principal name: %1 |
Active Directory Domain Services failed to rename a security principal in well known security principals container. Please have an administrator rename this security principal if needed. Security principal name: %1 |
| 0x0000401C | Active Directory Domain Services failed to rename some of the security principals in well known security principals container. Please have an administrator rename these security principals if needed. |
Active Directory Domain Services failed to rename some of the security principals in well known security principals container. Please have an administrator rename these security principals if needed. |
| 0x0000401D | An error occurred when trying to remove the account %1 from the group %2. The problem, \"%3\", occurred when trying to remove the account from the group. Please remove the member manually. |
An error occurred when trying to remove the account %1 from the group %2. The problem, \"%3\", occurred when trying to remove the account from the group. Please remove the member manually. |
| 0x00004102 | The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log. |
The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log. |
| 0x00004103 | An initial account-identifier pool has not yet been allocated to this domain controller. A possible reason for this is that the domain controller has been unable to contact the master domain controller, possibly due to connectivity or network problems. Account creation will fail on this domain controller until the pool is obtained. |
An initial account-identifier pool has not yet been allocated to this domain controller. A possible reason for this is that the domain controller has been unable to contact the master domain controller, possibly due to connectivity or network problems. Account creation will fail on this domain controller until the pool is obtained. |
| 0x00004104 | The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain. |
The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain. |
| 0x00004105 | The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain. |
The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain. |
| 0x00004106 | The computed account identifier is invalid because it is out of the range of the current account-identifier pool belonging to this domain controller. The computed RID value is %1. Try invalidating the account identifier pool owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool. |
The computed account identifier is invalid because it is out of the range of the current account-identifier pool belonging to this domain controller. The computed RID value is %1. Try invalidating the account identifier pool owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool. |
| 0x00004107 | The domain controller is starting a request for a new account-identifier pool. |
The domain controller is starting a request for a new account-identifier pool. |
| 0x00004108 | The request for a new account-identifier pool has completed successfully. |
The request for a new account-identifier pool has completed successfully. |
| 0x00004109 | The account-identifier-manager object creation completed. If the record data for this event has the value zero, the manager object was created. Otherwise, the record data will contain the NT error code indicating the failure. The failure to create the object may be due to low system resources, insufficient memory, or disk space. |
The account-identifier-manager object creation completed. If the record data for this event has the value zero, the manager object was created. Otherwise, the record data will contain the NT error code indicating the failure. The failure to create the object may be due to low system resources, insufficient memory, or disk space. |
| 0x0000410B | The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is %n \" %1 \" |
The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is %n \" %1 \" |
| 0x0000410C | The domain controller is booting to directory services restore mode. |
The domain controller is booting to directory services restore mode. |
| 0x0000410D | A pool size for account-identifiers (RIDs) that was configured by an Administrator is greater than the supported maximum. The maximum value of %1 will be used when the domain controller is the RID master. %nSee http://go.microsoft.com/fwlink/?LinkId=225963 for more information. |
A pool size for account-identifiers (RIDs) that was configured by an Administrator is greater than the supported maximum. The maximum value of %1 will be used when the domain controller is the RID master. %nSee http://go.microsoft.com/fwlink/?LinkId=225963 for more information. |
| 0x0000410E | A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:%n1. A domain controller is restored from backup. %n2. A domain controller running on a virtual machine is restored from snapshot. %n3. An administrator has manually invalidated the pool. %nSee http://go.microsoft.com/fwlink/?LinkId=226247 for more information. |
A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:%n1. A domain controller is restored from backup. %n2. A domain controller running on a virtual machine is restored from snapshot. %n3. An administrator has manually invalidated the pool. %nSee http://go.microsoft.com/fwlink/?LinkId=226247 for more information. |
| 0x0000410F | The global maximum for account-identifiers (RIDs) has been increased to %1. %n See http://go.microsoft.com/fwlink/?LinkId=233329 for more information including important operating system interoperability requirements. |
The global maximum for account-identifiers (RIDs) has been increased to %1. %n See http://go.microsoft.com/fwlink/?LinkId=233329 for more information including important operating system interoperability requirements. |
| 0x00004110 | Action required! An account-identifier (RID) pool was allocated to this domain controller. The pool value indicates this domain has consumed a considerable portion of the total available account-identifiers. %n%nA protection mechanism will be activated when the domain reaches the following threshold of total available account-identifiers remaining: %1. The protection mechanism prevents the allocation of account-identifier (RID) pools needed to allow existing DCs to create additional users, computers and groups, or promote new DCs into the domain. The mechanism will remain active until the Administrator manually re-enables account-identifier allocation on the RID master domain controller. %n%nSee http://go.microsoft.com/fwlink/?LinkId=228610 for more information. |
Action required! An account-identifier (RID) pool was allocated to this domain controller. The pool value indicates this domain has consumed a considerable portion of the total available account-identifiers. %n%nA protection mechanism will be activated when the domain reaches the following threshold of total available account-identifiers remaining: %1. The protection mechanism prevents the allocation of account-identifier (RID) pools needed to allow existing DCs to create additional users, computers and groups, or promote new DCs into the domain. The mechanism will remain active until the Administrator manually re-enables account-identifier allocation on the RID master domain controller. %n%nSee http://go.microsoft.com/fwlink/?LinkId=228610 for more information. |
| 0x00004111 | Action required! This domain has consumed a considerable portion of the total available account-identifiers (RIDs). A protection mechanism has been activated because the total available account-identifiers remaining is approximately: %1. %n%nThe protection mechanism prevents the allocation of account-identifier (RID) pools needed to allow existing DCs to create additional users, computers and groups, or promote new DCs into the domain. The mechanism will remain active until the Administrator manually re-enables account-identifier (RID) allocation on the RID master domain controller. %n%nIt is extremely important that certain diagnostics be performed prior to re-enabling account creation to ensure this domain is not consuming account-identifiers at an abnormally high rate. Any issues identified should be resolved prior to re-enabling account creation. %n%nFailure to diagnose and fix any underlying issue causing an abnormally high rate of account-identifier consumption can lead to account-identifier (RID) pool exhaustion in the domain after which account creation will be permanently disabled in this domain. %n%nSee http://go.microsoft.com/fwlink/?LinkId=228610 for more information. |
Action required! This domain has consumed a considerable portion of the total available account-identifiers (RIDs). A protection mechanism has been activated because the total available account-identifiers remaining is approximately: %1. %n%nThe protection mechanism prevents the allocation of account-identifier (RID) pools needed to allow existing DCs to create additional users, computers and groups, or promote new DCs into the domain. The mechanism will remain active until the Administrator manually re-enables account-identifier (RID) allocation on the RID master domain controller. %n%nIt is extremely important that certain diagnostics be performed prior to re-enabling account creation to ensure this domain is not consuming account-identifiers at an abnormally high rate. Any issues identified should be resolved prior to re-enabling account creation. %n%nFailure to diagnose and fix any underlying issue causing an abnormally high rate of account-identifier consumption can lead to account-identifier (RID) pool exhaustion in the domain after which account creation will be permanently disabled in this domain. %n%nSee http://go.microsoft.com/fwlink/?LinkId=228610 for more information. |
| 0x00004112 | This event is a periodic update on the remaining total quantity of available account-identifiers (RIDs). The number of remaining account-identifiers is approximately: %1. %n%nAccount-identifiers are used as accounts are created, when they are exhausted no new accounts may be created in the domain. %n%nSee http://go.microsoft.com/fwlink/?LinkId=228745 for more information. |
This event is a periodic update on the remaining total quantity of available account-identifiers (RIDs). The number of remaining account-identifiers is approximately: %1. %n%nAccount-identifiers are used as accounts are created, when they are exhausted no new accounts may be created in the domain. %n%nSee http://go.microsoft.com/fwlink/?LinkId=228745 for more information. |
| 0x00004200 | Security Enabled Local Group Changed to Security Enabled Universal Group. |
Security Enabled Local Group Changed to Security Enabled Universal Group. |
| 0x00004201 | Security Enabled Local Group Changed to Security Disabled Local Group. |
Security Enabled Local Group Changed to Security Disabled Local Group. |
| 0x00004202 | Security Enabled Local Group Changed to Security Disabled Universal Group. |
Security Enabled Local Group Changed to Security Disabled Universal Group. |
| 0x00004203 | Security Enabled Global Group Changed to Security Enabled Universal Group. |
Security Enabled Global Group Changed to Security Enabled Universal Group. |
| 0x00004204 | Security Enabled Global Group Changed to Security Disabled Global Group. |
Security Enabled Global Group Changed to Security Disabled Global Group. |
| 0x00004205 | Security Enabled Global Group Changed to Security Disabled Universal Group. |
Security Enabled Global Group Changed to Security Disabled Universal Group. |
| 0x00004206 | Security Enabled Universal Group Changed to Security Enabled Local Group. |
Security Enabled Universal Group Changed to Security Enabled Local Group. |
| 0x00004207 | Security Enabled Universal Group Changed to Security Enabled Global Group. |
Security Enabled Universal Group Changed to Security Enabled Global Group. |
| 0x00004208 | Security Enabled Universal Group Changed to Security Disabled Local Group. |
Security Enabled Universal Group Changed to Security Disabled Local Group. |
| 0x00004209 | Security Enabled Universal Group Changed to Security Disabled Global Group. |
Security Enabled Universal Group Changed to Security Disabled Global Group. |
| 0x0000420A | Security Enabled Universal Group Changed to Security Disabled Universal Group. |
Security Enabled Universal Group Changed to Security Disabled Universal Group. |
| 0x0000420B | Security Disabled Local Group Changed to Security Enabled Local Group. |
Security Disabled Local Group Changed to Security Enabled Local Group. |
| 0x0000420C | Security Disabled Local Group Changed to Security Enabled Universal Group. |
Security Disabled Local Group Changed to Security Enabled Universal Group. |
| 0x0000420D | Security Disabled Local Group Changed to Security Disabled Universal Group. |
Security Disabled Local Group Changed to Security Disabled Universal Group. |
| 0x0000420E | Security Disabled Global Group Changed to Security Enabled Global Group. |
Security Disabled Global Group Changed to Security Enabled Global Group. |
| 0x0000420F | Security Disabled Global Group Changed to Security Enabled Universal Group. |
Security Disabled Global Group Changed to Security Enabled Universal Group. |
| 0x00004210 | Security Disabled Global Group Changed to Security Disabled Universal Group. |
Security Disabled Global Group Changed to Security Disabled Universal Group. |
| 0x00004211 | Security Disabled Universal Group Changed to Security Enabled Universal Group. |
Security Disabled Universal Group Changed to Security Enabled Universal Group. |
| 0x00004212 | Security Disabled Universal Group Changed to Security Enabled Global Group. |
Security Disabled Universal Group Changed to Security Enabled Global Group. |
| 0x00004214 | Security Disabled Universal Group Changed to Security Disabled Local Group. |
Security Disabled Universal Group Changed to Security Disabled Local Group. |
| 0x00004215 | Security Disabled Universal Group Changed to Security Disabled Global Group. |
Security Disabled Universal Group Changed to Security Disabled Global Group. |
| 0x00004216 | Member Account Name Is Not Available. |
Member Account Name Is Not Available. |
| 0x00004217 | Account Enabled. |
Account Enabled. |
| 0x00004218 | Account Disabled. |
Account Disabled. |
| 0x00004219 | Certain Bit(s) in User Account Control Field Has Been Changed. |
Certain Bit(s) in User Account Control Field Has Been Changed. |
| 0x0000421B | Account Name Changed. |
Account Name Changed. |
| 0x0000421C | Password Policy |
Password Policy |
| 0x0000421D | Logoff Policy |
Logoff Policy |
| 0x0000421E | Oem Information |
Oem Information |
| 0x0000421F | Replication Information |
Replication Information |
| 0x00004220 | Domain Server Role |
Domain Server Role |
| 0x00004221 | Domain Server State |
Domain Server State |
| 0x00004222 | Lockout Policy |
Lockout Policy |
| 0x00004223 | Modified Count |
Modified Count |
| 0x00004224 | Domain Mode |
Domain Mode |
| 0x00004225 | Basic Application Group Changed to Ldap Query Application Group. |
Basic Application Group Changed to Ldap Query Application Group. |
| 0x00004226 | Ldap Query Application Group Changed to Basic Application Group. |
Ldap Query Application Group Changed to Basic Application Group. |
| 0x00004227 | Failed to secure the machine account %1. Have an administrator remove the builtin\\account operators full control Access Control Entry from the security descriptor on this object. |
Failed to secure the machine account %1. Have an administrator remove the builtin\\account operators full control Access Control Entry from the security descriptor on this object. |
| 0x00004228 | Failed to secure the machine account %1. This operation will be retried. Have an administrator verify the builtin\\account operators full control Access Control Entry was removed from the security descriptor on this object. |
Failed to secure the machine account %1. This operation will be retried. Have an administrator verify the builtin\\account operators full control Access Control Entry was removed from the security descriptor on this object. |
| 0x00004229 | Secured the machine account %1. The builtin\\account operators full control Access Control Entry was removed from the security descriptor on this object. |
Secured the machine account %1. The builtin\\account operators full control Access Control Entry was removed from the security descriptor on this object. |
| 0x00004230 | The certificate that is used for authentication does not have an issuance policy descriptor corresponding to OID %1 in the Active Directory database. This certificate will not be associated with a corresponding security identifier (SID), and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy. The error is %2. |
The certificate that is used for authentication does not have an issuance policy descriptor corresponding to OID %1 in the Active Directory database. This certificate will not be associated with a corresponding security identifier (SID), and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy. The error is %2. |
| 0x00004231 | The certificate issuance policy that is represented by OID %2 does not have a link to a security identifier (SID), or this link cannot be read. The link is represented by the attribute msDS-OIDToGroupLink on the msPKI-Enterprise-Oid object that represents the issuance policy. This certificate will not be associated with a corresponding SID, and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy. |
The certificate issuance policy that is represented by OID %2 does not have a link to a security identifier (SID), or this link cannot be read. The link is represented by the attribute msDS-OIDToGroupLink on the msPKI-Enterprise-Oid object that represents the issuance policy. This certificate will not be associated with a corresponding SID, and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy. |
| 0x00004232 | Multiple certificate issuance policy descriptors were found in the Active Directory database. The attribute msPKI-Cert-Template-OID of these descriptors contains string %1. This attribute should be able to uniquely identify an issuance policy descriptor; you should resolve this conflict. The issuance policies that are affected will not be associated with security identifiers (SIDs), and users who are authenticating using certificates that are issued by the corresponding policy may be denied access to some resources. |
Multiple certificate issuance policy descriptors were found in the Active Directory database. The attribute msPKI-Cert-Template-OID of these descriptors contains string %1. This attribute should be able to uniquely identify an issuance policy descriptor; you should resolve this conflict. The issuance policies that are affected will not be associated with security identifiers (SIDs), and users who are authenticating using certificates that are issued by the corresponding policy may be denied access to some resources. |
| 0x00004233 | The certificate issuance policy descriptor %2 is linked through its attribute msDS-OIDToGroupLink to a group that is not a security group, has members, or is not universal. The error is %6.%nAn issuance policy should be linked to a security identifier (SID) of a group that is security enabled, does not have members, and is universal. Users who are authenticating using certificates that are issued according to this policy may be denied access to some resources. The distinguished name (also known as DN) of the group that does not meet these requirements is %3. |
The certificate issuance policy descriptor %2 is linked through its attribute msDS-OIDToGroupLink to a group that is not a security group, has members, or is not universal. The error is %6.%nAn issuance policy should be linked to a security identifier (SID) of a group that is security enabled, does not have members, and is universal. Users who are authenticating using certificates that are issued according to this policy may be denied access to some resources. The distinguished name (also known as DN) of the group that does not meet these requirements is %3. |
| 0x00004234 | The requested modification for group %1 could not be performed. This is because this group is linked through msDS-OIDToGroupLinkBl to a certificate issuance policy descriptor. Such groups should be security enabled, they should not have any members, and they should be universal.%nThe requested operation was %4.%nThe error is %5. |
The requested modification for group %1 could not be performed. This is because this group is linked through msDS-OIDToGroupLinkBl to a certificate issuance policy descriptor. Such groups should be security enabled, they should not have any members, and they should be universal.%nThe requested operation was %4.%nThe error is %5. |
| 0x00004235 | The certificate issuance policy descriptor %1 cannot be linked to group %2. Issuance policies can be linked through the attribute msDS-OIDToGroupLink only to universal, security-enabled groups that have an empty membership. You should ensure that this group meets these requirements.%nThe error is %5. |
The certificate issuance policy descriptor %1 cannot be linked to group %2. Issuance policies can be linked through the attribute msDS-OIDToGroupLink only to universal, security-enabled groups that have an empty membership. You should ensure that this group meets these requirements.%nThe error is %5. |
| 0x00004236 | The following invalid claims issued to user %1 have been dropped: %2. |
The following invalid claims issued to user %1 have been dropped: %2. |
| 0x00004237 | Claims issued to user %1 could not be validated and have been dropped. Error: %2. |
Claims issued to user %1 could not be validated and have been dropped. Error: %2. |
| 0x00004239 | The password notification DLL %1 failed to load with error %4. Please verify that the notification DLL path defined in the registry, %2%3, refers to a correct and absolute path (:\\\\.) and not a relative or invalid path. If the DLL path is correct, please validate that any supporting files are located in the same directory, and that the system account has read access to both the DLL path and any supporting files. Contact the provider of the notification DLL for additional support. Further details can be found on the web at http://go.microsoft.com/fwlink/?LinkId=245898. |
The password notification DLL %1 failed to load with error %4. Please verify that the notification DLL path defined in the registry, %2%3, refers to a correct and absolute path (:\\\\.) and not a relative or invalid path. If the DLL path is correct, please validate that any supporting files are located in the same directory, and that the system account has read access to both the DLL path and any supporting files. Contact the provider of the notification DLL for additional support. Further details can be found on the web at http://go.microsoft.com/fwlink/?LinkId=245898. |
| 0x00004240 | SAM was configured to not listen on the TCP protocol. |
SAM was configured to not listen on the TCP protocol. |
| 0x00004241 | Legacy password validation mode has been enabled on this machine. If an Exchange ActiveSync policy is configured it will not be enforced for password validation requests. |
Legacy password validation mode has been enabled on this machine. If an Exchange ActiveSync policy is configured it will not be enforced for password validation requests. |
| 0x00004242 | Remote calls to the SAM database are being restricted using the default security descriptor: %1.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
Remote calls to the SAM database are being restricted using the default security descriptor: %1.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
| 0x00004243 | Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
| 0x00004244 | The registry security descriptor is malformed: %1.%nRemote calls to the SAM database are being restricted using the default security descriptor: %2.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
The registry security descriptor is malformed: %1.%nRemote calls to the SAM database are being restricted using the default security descriptor: %2.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
| 0x00004245 | A remote call to the SAM database has been denied.%nClient SID: %1%nNetwork address: %2%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
A remote call to the SAM database has been denied.%nClient SID: %1%nNetwork address: %2%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
| 0x00004246 | Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
| 0x00004247 | Audit only mode is now disabled for remote calls to the SAM database.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
Audit only mode is now disabled for remote calls to the SAM database.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
| 0x00004248 | Audit only mode is currently enabled for remote calls to the SAM database.%nThe following client would have been normally denied access:%nClient SID: %1 from network address: %2. %nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
Audit only mode is currently enabled for remote calls to the SAM database.%nThe following client would have been normally denied access:%nClient SID: %1 from network address: %2. %nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
| 0x00004249 | %2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.%nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651. |
| 0x00004250 | An error occurred while configuring one or more well-known accounts for this domain. This may be due to a transient error condition. The task will retry periodically until successful. For more information please see https://go.microsoft.com/fwlink/?linkid=832473.%nStatus: %1 |
An error occurred while configuring one or more well-known accounts for this domain. This may be due to a transient error condition. The task will retry periodically until successful. For more information please see https://go.microsoft.com/fwlink/?linkid=832473.%nStatus: %1 |
| 0x50000002 | Error |
Error |
| 0x50000003 | Warning |
Warning |
| 0x50000004 | Information |
Information |
| 0x90000001 | Microsoft-Windows-Directory-Services-SAM |
Microsoft-Windows-Directory-Services-SAM |
| 0x90000002 | System |
System |