USER RID 500: What is it, and why is it appearing in my LSS Reports?
While attempting to run a report for local administrator password access from Local Security Solution 6.1 (LSS), the report, for some of the client machines, rather than referencing a computer/username, displayed "User RID 500" instead. Who is he? :)
Further research showed that Local Security Solution (LSS) uses a "Local User Inventory Policy" which, by default, has a capture interval of every 12 hours. This inventory sends a nse file to the Notification Server (NS) that contains all the needed data to properly create a local user resource. This should get created as "Computer Name/User". LSS also has the password reset policy that sends an event up containing the password change information. Because the password change is on a known RID (Relative Identifier),( in this case, the local Administrator account, which has a pre-defined RID of 500), the current policy applies to new comptuers.
The issue of transposing the known RID for "USER RID 500" occurs when the password reset event is sent up before the local user inventory data has been received by the NS. When the password event is received on a unknown resource, the Data Loader must create a resource to receive the event. The only data the event has to created the resource from is the RID. Basicly the issue comes down to a race issue. And once the name is set, the data loader will not change it in the database. There are a couple of options for resolution/workaround.
1. Upgrade to Sp2 of LSS. While this will not resolve the problem for existing machines, code has been updated to preclude any new machines from having this problem going forward.
2. Existing comptuers can be resolved using a connector rule to update the resource name. Using the same logic as below, a rule can be built which performs the same tasks as Option 3.
3. A SQL update can update the "User RID 500" in the item table to correctly reflect the proper computer name and add "Administrator" so that the reports properly reflect the correct administrator information. This should only need to be run once. The SQL is below.
update i set i.name=ic.name+'\Administrator'
from item i join resourceassociation ra on ra.resourceassociationtypeguid='CB7A9331-278D-451F-870A-E9BC55439667' and ra.childresourceguid=i.guid
join item ic on ic.guid=ra.parentresourceguid
where i.name='User RID 500'