Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Management Community Blog

USER RID 500: What is it, and why is it appearing in my LSS Reports?

Created: 14 May 2009 • 4 comments
BRING's picture
0 0 Votes
Login to vote

 
While attempting to run a report for local administrator password access from Local Security Solution 6.1 (LSS),  the report, for some of the client machines, rather than referencing a computer/username, displayed "User RID 500" instead. Who is he? :)

Further research showed that Local Security Solution (LSS) uses a "Local User Inventory Policy" which, by default, has a capture interval of every 12 hours. This inventory sends a nse file to the Notification Server (NS) that contains all the needed data to properly create a local user resource. This should get created as "Computer Name/User". LSS also has the password reset policy that sends an event up containing the password change information. Because the password change is on a known RID (Relative Identifier),( in this case, the local Administrator account, which has a pre-defined RID of 500), the current policy applies to new comptuers.

The issue of transposing the known RID for "USER RID 500" occurs when the password reset event is sent up before the local user inventory data has been received by the NS. When the password event is received on a unknown resource, the Data Loader must create a resource to receive the event. The only data the event has to created the resource from is the RID. Basicly the issue comes down to a race issue. And once the name is set, the data loader will not change it in the database. There are a couple of options for resolution/workaround.

1. Upgrade to Sp2 of LSS. While this will not resolve the problem for existing machines, code has been updated to preclude any new machines from having this problem going forward.

2. Existing comptuers can be resolved using a connector rule to update the resource name.  Using the same logic as below, a rule can be built which performs the same tasks as Option 3.

3. A SQL update can update the "User RID 500" in the item table to correctly reflect the proper computer name and add "Administrator" so that the reports properly reflect the correct administrator information. This should only need to be run once. The SQL is below.

update i set i.name=ic.name+'\Administrator'
from item i join resourceassociation ra on ra.resourceassociationtypeguid='CB7A9331-278D-451F-870A-E9BC55439667' and ra.childresourceguid=i.guid
join item ic on ic.guid=ra.parentresourceguid
where i.name='User RID 500'

Comments 4 CommentsJump to latest comment

KSchroeder's picture

Once again...one of those weird things I see in the console, and there you are with the answer!  Thanks!

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

0
Login to vote
BRING's picture

I try once and awhile - Not perfect - Just posted a new article on DMZ password management using LSS.  Have a read and let me know what you think
 

0
Login to vote
KSchroeder's picture

Brent,
Looks like it hasn't gone "live" yet...at least it is not browsable.  Earlier in the week one of the other TA's posted an article and gave me a direct link and I was able to open it.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

0
Login to vote
ohzone - CherylPeterson's picture

Here's the link to Brent's article - http://www.symantec.com/connect/articles/using-local-security-solution-manage-passwords-clients-dmz - currently published and viewable.

Cheryl

Endpoint Management,
Endpoint Virtualization
Managing Mobility
Community Manager
www.twitter.com/EMnV_symc
Need Altiris help? IRC chat #Altiris

0
Login to vote