Client Management Suite

 View Only
Back to Library

USER RID 500: What is it, and why is it appearing in my LSS Reports? 

May 14, 2009 02:34 PM

 
While attempting to run a report for local administrator password access from Local Security Solution 6.1 (LSS),  the report, for some of the client machines, rather than referencing a computer/username, displayed "User RID 500" instead. Who is he? :)

Further research showed that Local Security Solution (LSS) uses a "Local User Inventory Policy" which, by default, has a capture interval of every 12 hours. This inventory sends a nse file to the Notification Server (NS) that contains all the needed data to properly create a local user resource. This should get created as "Computer Name/User". LSS also has the password reset policy that sends an event up containing the password change information. Because the password change is on a known RID (Relative Identifier),( in this case, the local Administrator account, which has a pre-defined RID of 500), the current policy applies to new comptuers.

The issue of transposing the known RID for "USER RID 500" occurs when the password reset event is sent up before the local user inventory data has been received by the NS. When the password event is received on a unknown resource, the Data Loader must create a resource to receive the event. The only data the event has to created the resource from is the RID. Basicly the issue comes down to a race issue. And once the name is set, the data loader will not change it in the database. There are a couple of options for resolution/workaround.

1. Upgrade to Sp2 of LSS. While this will not resolve the problem for existing machines, code has been updated to preclude any new machines from having this problem going forward.

2. Existing comptuers can be resolved using a connector rule to update the resource name.  Using the same logic as below, a rule can be built which performs the same tasks as Option 3.

3. A SQL update can update the "User RID 500" in the item table to correctly reflect the proper computer name and add "Administrator" so that the reports properly reflect the correct administrator information. This should only need to be run once. The SQL is below.


update i set i.name=ic.name+'\Administrator'
from item i join resourceassociation ra on ra.resourceassociationtypeguid='CB7A9331-278D-451F-870A-E9BC55439667' and ra.childresourceguid=i.guid
join item ic on ic.guid=ra.parentresourceguid
where i.name='User RID 500'

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Jun 19, 2009 02:31 PM

Here's the link to Brent's article - http://www.symantec.com/connect/articles/using-local-security-solution-manage-passwords-clients-dmz - currently published and viewable.

Cheryl

KSchroeder
Jun 19, 2009 02:20 PM

Brent,
Looks like it hasn't gone "live" yet...at least it is not browsable.  Earlier in the week one of the other TA's posted an article and gave me a direct link and I was able to open it.

Migration User
Jun 19, 2009 01:17 PM

I try once and awhile - Not perfect - Just posted a new article on DMZ password management using LSS.  Have a read and let me know what you think
 

KSchroeder
May 25, 2009 12:09 AM

Once again...one of those weird things I see in the console, and there you are with the answer!  Thanks!

Related Entries and Links

No Related Resource entered.