# No Users in Local Administrators Group



## meedax (Jan 22, 2009)

Hey guys, I've searched around on the internet for a resolution to this problem and the best I've found is a couple of posts on other forums describing this problem but no solution. The other guys were running Windows 2000 I think, not Vista.

When attempting to view the members of the local administrators group I see 
no users at all, even when in the context of the local administrators 
account. If I attempt to add an account to the group that I know is in there 
already, I receive the following message: 

"Username" is already a member of group "Administrators".

I've also tried running a vb script to enumerate the users in local 
administrators group and this returns no results. (Can provide the code if required).

I knocked up a C# app that calls NetLocalGroupGetMembers but this returns 87 (ERROR_INVALID_PARAMETER) when the groupname parameter = "administrators". When groupname = "users" the function returns 0 (ERROR_SUCCESS), indicating that it is succesful.

Any ideas how I can resolve this?


----------



## jcgriff2 (Sep 30, 2007)

Hi - 

Try this & see if it brings names/ additional info out for you:

Bring up an *elevated* admin cmd/DOS prompt - 
START | type cmd.exe into the start search box | right click on cmd.exe | select run as administrator | paste the following in (right-click at top of DOS screen, select Edit, select Paste) -

```
whoami /all > %temp%\w1.txt & start notepad %temp%\w1.txt
```
Regards. . .

jcgriff2

.


----------



## meedax (Jan 22, 2009)

Hi jcgriff2, thanks for the reply.

I gave that a go for a couple of domain accounts that I know to be in the Local Administrators group. 

In both cases it listed that they were both a member of the Local Admin group:


```
Group Name: BUILTIN\Administrators  
Type: Alias
SID: S-1-5-32-544
Attributes: Mandatory group, Enabled by default, Enabled group, Group owner
```
So far so good. However, it still doesn't show me all the members of the Local Admin group. Your suggestion did get me thinking, so I tried (from an elevated command prompt):


```
net localgroup administrators
```
which returned:


```
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain
System error 87 has occurred.

The parameter is incorrect.
```
This is the error I received when calling the NetLocalGroupGetMembers API directly - so helps to rule out a coding error on my part.

Incedentaly, the following:


```
net localgroup users
```
worked fine:


```
Alias name     users
Comment        Users are prevented from making accidental or intentional system-wide changes and can
 run most applications

Members

-------------------------------------------------------------------------------
ASPNET
debugger
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
Test
XRDS\Domain Users
The command completed successfully.
```


----------



## meedax (Jan 22, 2009)

I've done some further debugging of the NetLocalGroupGetMembers API and looks like it calls LsarLookupSids2 (translates SIDS into names), which fails - returning C000000D (STATUS_INVALID_PARAMETER in ntstatus.h). This then gets translated to 87 (ERROR_INVALID_PARAMETER in winerror.h) before being returned by NetLocalGroupGetMembers.


----------



## jcgriff2 (Sep 30, 2007)

Did you get a listing like this -

```
Group Name                           Type             SID          Attributes                                                     
==================================== ================ ============ ===============================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators               Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE             Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group             
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group             
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group             
Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group             


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
```


----------



## meedax (Jan 22, 2009)

I've omitted the domain groups for security purposes, however they were all effectively:


```
DOMAIN\GROUP             Group            SID  Mandatory group, Enabled by default, Enabled group
```


```
GROUP INFORMATION
-----------------

Group Name                                           Type             SID                                             Attributes                                                     
==================================================== ================ =============================================== ===============================================================
Everyone                                             Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group             
AlexDev\Debugger Users                               Alias            S-1-5-21-1533202280-930934923-281820185-1009    Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                               Alias            S-1-5-32-544                                    Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                        Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE                             Well-known group S-1-5-4                                         Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users                     Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization                       Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group             
LOCAL                                                Well-known group S-1-2-0                                         Mandatory group, Enabled by default, Enabled group             
[DOMAIN GROUPS OMITTED]
Mandatory Label\High Mandatory Level                 Unknown SID type S-1-16-12288                                    Mandatory group, Enabled by default, Enabled group             


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
```
I've also carried out a checkdisk including scanning for bad sectors. There were no errors reported.


----------



## pfrank61 (Oct 23, 2009)

Hello,

I am having the exactly the same issue here. Did you get the solution for this ?

Thanks
Paul


----------



## meedax (Jan 22, 2009)

No unfortunately not. I rebuilt the machine in the end.


----------

