Active Directory Permissions Exceptions

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects
• User account [SID group] is not part of the global group accounts/well-known group accounts.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible.

To get users and group account details, LookupAccountSid is executed which is a windows API, and since the account exists and is accessible, it returns the name for the specified SID. The users or groups account is an alias, group, or a well-known group. So in a normal functioning environment, the user or group return will always be amongst the alias, group, or well-known group. Therefore the negative case is not reproduced in a normal functioning environment.

Source: https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-lookupaccountsida

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Add a user to the active directory using the given steps :

• Go to Start.
• Select “Administrative Tools”.
• Select “Active Directory Users and Computers”.
• Either right-click the "Users" folder on the left side, or the blank area on the right side, And highlight "New" then click "User”.
• In the next dialog, we can set the user's First name, Last name, and various other pieces of information, including their log-on name, and domain to which we want to add them.
• After clicking "Next" you are presented with the password-settings screen.
• In the next dialog, we get a summary of the user to be created. Click "Finish" and the user has been created.

Verify that the user is active in the Active Directory.

Suspect Windows accounts encountered processing OS objects

• User with groupSID - [SID group] is not present in the active directory/Account table.
• User with username - [ username ] and groupSID - [SID group] is not present in the active directory/Account table.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

The location of the given groupSID is not found as this groupSID is not part of either the Well-Known account group, Domain server group role, or a Local server group.

Add a group to the active directory using the given steps :

• Go to Start.
• Select “Administrative Tools”.
• Select “Active Directory Users and Computers”.
• Either right-click the "Group" folder on the left side, or the blank area on the right side, And highlight "New" then click "Group”.
• In the next dialog, we can set the group’s name and various other pieces of information, including their log-on name, and domain to which we want to add them.

Verify that the group is active in the Active Directory.

• Suspect Windows accounts encountered processing OS objects.
• GroupSID [SID group] is missing from Active Directory.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. If the user or group account is not valid then the account location is returned as unknown. So in normal functioning, the account location will not be unknown therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the directory entry obtained from WInNT path is valid and has read/write permissions.

• Suspect Windows accounts encountered processing OS objects.
• The creation of a local account for the group account failed.

A local account is created for the specified server name, SID Group, and Directory Entry Group. A negative case will arise when the group directory entry is empty or null which will not happen in a normal functioning environment as it is made using the server name and group name. So in the normal functioning environment, the account creation will not fail therefore the negative case will not be reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the directory entry obtained from WInNT path is valid and has read/write permissions.

• Suspect Windows accounts encountered processing the OS objects.
• Retrieval of the directory members and their paths of the group directory corresponding to the groupSID failed.

In a normal functioning environment, we get members and their paths of the group directory. It may fail during the run time due to some flaws in the environment. Then this error gets logged. It is a custom error and not a standard windows error. We couldn’t reproduce this error in a normal functioning environment.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Please check if the directory exists at the given path. If the directory exists, please check if the user has permission to access the directory.

• Suspect Windows accounts encountered processing OS objects.
• Directory entry [Directory name] for the given groupSID [SID group] WinNT path is not valid.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. If the directory entry for the SID is not found it returns null. But in a normal functioning environment, the directory entry will not be null for the given SID and therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Check if the format of the specified Domain Name is invalid.
• Check if the Flags parameter does not contain conflicting or superfluous flags.
• Check if the memory allocation failure has not occurred.
• Check if the domain controller is available for the specified domain or the domain does exist.

Suspect Windows accounts encountered processing OS objects Failed to retrieve the name of the domain controller for the specified domain: [domain name].

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. Since the server name and domain name will also be available in normal functionality, so the domain controller details will be accessible therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the directory path is valid or the user has required permissions to access the directory path.

Suspect Windows accounts encountered processing OS objects. Active Directory entry [directory entry name] for the given groupSID [SID group] is not valid/does not exist.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. Since the directory entry name for the users or group is not null or empty or the object class is not unknown for the users or groups in normal functionality therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Retrieving of the directory members and their paths, of the group directory corresponding to the groupSID has failed.

Add a group to the active directory using the given steps :

• Go to Start.
• Select “Administrative Tools”.
• Select “Active Directory Users and Computers”.
• Select the server from the left side.
• A list of groups and users will appear on the screen.
• Select a particular group.
• In the dialog opened there will be a tab to see members of the group.

Verify if the retrieved group members and their paths are valid entries in the server.

Suspect Windows accounts encountered processing OS objects.

Retrieval of the active directory members and their paths of the group directory corresponding to the groupSID [SID group] failed.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. Since the directory entry name for the users or group is not null or empty and domain details are available for the users or groups in normal functionality therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects.
• Directory entry[directory entry name] for the given groupSID [SID group] WinNT path is not valid.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. If the directory entry for the SID is not found it returns null. But in a normal functioning environment, the directory entry will not be null for the given SID and therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects.
• Given [ldap path] does not contain any elements.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. Server Name and group names are available for the users and groups to get the LDAP path. Therefore the path will be generated and it will have elements in normal functionality therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

This is logged when there are not enough elements in the path to extract the domain from the path.

• Suspect Windows accounts encountered processing OS objects.
• The given path [ specific path ] does not contain a valid number of elements.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. Server Name and group names are available for the users and groups to get the LDAP path. Therefore the path will be generated and it will have a valid number of elements in normal functionality therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects.
• Local directory entry not found.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. Members of these groups are also accessible and local directory path. So in normal functionality, the local directory entry for each member of the group will be available so the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the local Directory entry supplied to this method is valid or has read/write permissions.

• Suspect Windows accounts encountered processing OS objects.
• Please check that the user [ specific user ] has the required permissions for the local directory [local directory name].

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. Since the directory entry name for the users or group is not null or empty or the object class is not unknown for the users or groups in normal functionality, therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects.
• Failed to get Domain for specified object path [specific object path].

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. `Domain information for each user or group is fetched using the server name and the user or group members therefore the domain information is available in normal functionality, so the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects.
• Active directory entry not found for provided Foreign Security Principal sid/fspsid [specific sid\fspsid].

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. For every user or group, there will be a directory path in normal functionality so active directory entry will be found for fspsid therefore in normal functionality the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the Active DirectoryEntry from which the sid was obtained is valid or has read/write permission.

• Suspect Windows accounts encountered processing OS objects.
• Active Directory entry from which SID [specific SID] was obtained is not valid or does not have required permissions.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. For every user or group, there will be a directory path and the path has an object class that will not be unknown in normal functionality, it will be amongst user, group, computer, or inetOrgPerson. So in normal functionality, the object class won't be unknown therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the DirectoryEntry from which the sid was obtained is valid or has read/write permission.

• Suspect Windows accounts encountered processing OS objects.
• Active Directory entry from which SID [specific SID] was obtained is not valid or does not have required permissions.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. For every user or group, there will be a directory path and the path has an object class that will not be unknown in normal functionality, it will be amongst user, group, computer, or inetOrgPerson. So in normal functionality, the object class won't be unknown therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects.
• Active Directory entry obtained is not valid or does not have the required permissions.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. For every user or group, there will be a directory path and the path has an object class, if the object class is group and directory entry has more than one group type or the group type is not an integer which will not happen in normal functionality. So in normal functionality, the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects
• Active Directory entry obtained is not valid or does not have the required permissions.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. For every user or group, there will be a directory path. The directory path will not be null or empty in normal functionality. So in normal functionality, the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

• Suspect Windows accounts encountered processing OS objects
• Active Directory entry obtained is not valid or does not have the required permissions.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. For every user or group, there will be a directory path and the path has an object class, if the object class is group and directory entry has more than one group type or the group type is not an integer which will not happen in normal functionality. So in normal functionality, the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the WinNT path obtained is valid. If the path is valid, check if the account has elevated privileges and account used to get domain directory details have read/write permissions.

• Suspect Windows accounts encountered processing OS objects.
• Failed to get domain directory entry for given WinNT path.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. For each user or group, there are domain details and for each domain, there is a directory path created. In normal functionality, the domain directory path will be created since it will not be null or empty therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the WinNT path obtained is valid. If the path is valid, check if the account has elevated privileges and account used to get domain directory details have read/write permissions.

• Suspect Windows accounts encountered processing OS objects.
• Error in parsing the given WinNT path [specific WinNT path].

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. For each user or group, there are domain details and for each domain, there is a directory path created. In normal functionality, the domain directory path has the domain name which can be extracted successfully so it will not be null or empty therefore the negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the given SID is a valid group SID. If not, one try changing the scope of the account through :

• Programs.
• Administrative Tools.
• Active Directory Users and Computers.

• Suspect Windows accounts encountered processing OS objects.
• No group members retrieved for the groupSID - [specific SID group].

This error should come when a group with the respective groupSID does not have a member. According to code, an error will be reproduced when a member's object is null. members' object is never null even if there is no member. If there is no member, then members object will have count as 0. Since the check is if the members object is null, so this is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the given SID is a valid group SID. If not, one try changing the scope of the account through :

• Programs.
• Administrative Tools.
• Active Directory Users and Computers.

• Suspect Windows accounts encountered processing OS objects.
• No group members retrieved for the groupSID - [specific SID group].

This error should come when the group is null. Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. So, in a normal functioning environment, the group is not null. Therefore, the error is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2]
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI]

Check if the given SID is a valid group SID. If not, one try changing the scope of the account through:

• Programs.
• Administrative Tools.
• Active Directory Users and Computers.
• Check if the given path is valid and has read/write permission.

• Suspect Windows accounts encountered processing OS objects.
• Failed to create an account for File Access Rights.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. To get users and group account LookupAccountSid is executed which is a windows API and an account are created for files that have permissions for the file and is accessible, it returns file details for the specified SID. So in the normal functioning account will be created for file access rights therefore negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the given SID is a valid group SID. If not, one try changing the scope of the account through:

• Programs.
• Administrative Tools.
• Active Directory Users and Computers.
• Check if the given path is valid and has read/write permission.

• Suspect Windows accounts encountered processing OS objects.
• Failed to create an account for File Audit Rights.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. To get users and group account LookupAccountSid is executed which is a windows API and an account are created for files that have permissions for the file and is accessible, it returns file details for the specified SID. So in the normal functioning account will be created for file access rights therefore negative case is not reproduced.

• Suspect Windows accounts encountered processing OS objects [UI] [Old message replaced by the message below in 3.2].
• We could not load/read data while processing OS objects. Please check the Activity logs of the server for possible solutions to avoid this. [UI].

Check if the given SID is a valid group SID. If not, one try changing the scope of the account through:

• Programs.
• Administrative Tools.
• Active Directory Users and Computers.
• Check if the given path is valid and has read/write permission.

• Suspect Windows accounts encountered processing OS objects
• Failed to create an account for File Audit Settings.

Users and group accounts are fetched using SQL Server’s file permissions and registry permissions. So, users and groups exist and are accessible. To get users and group account LookupAccountSid is executed which is a windows API and an account are created for files that have permissions for the file and is accessible, it returns file details for the specified SID. So in the normal functioning account will be created for file access rights therefore negative case is not reproduced.