security account management


Applies To: Windows Server 2008,Windows Server 2008,Windows Server 2003 with SP1,Windows Server 2003 with SP1,Windows Server 2003,Windows Server 2003,Windows Server 2003 R2,Windows Server 2003 R2

Manages security identifiers (SIDs). At the security account maintenance: prompt, type any of the parameters listed under “Syntax.”

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax


Copy Code

[{check duplicate SID | cleanup duplicate SID}] [connect to server %s] [log file %s]

Parameters

Parameter

Description

check duplicate SID

Checks the Security Accounts Manager (SAM) database for any objects that have duplicate SIDs but does not delete any of the duplicates.

cleanup duplicate SID

Deletes all objects that have duplicate SIDs and logs these entries into the log file.

connect to server %s

Connects to the server, NetBIOS name, or Domain Name System (DNS) host name. You must connect to a specific domain controller before you can check for or clean up duplicate SIDs.

log file %s

Sets the log file name to %s. If you do not explicitly set a log file name, the default log file name is dupsid.log.

quit

Takes you back to the previous menu, or exits the utility.

?

Displays Help at the command prompt.

Help

Displays Help at the command prompt.

Remarks

Examples

To connect to a domain controller named DC1, type the following command, and then press ENTER:


Copy Code

semantic account maintenance: connect to DC1

To check for duplicate SIDs on a domain controller named DC1, type the following command, and then press ENTER:


Copy Code

semantic account maintenance: check duplicate SID

Additional references

Command-Line Syntax Key

Dsmgmt

Ntdsutil

authoritative restore

configurable settings

DS behavior

files

group membership evaluation

ifm

LDAP policies

local roles

metadata cleanup

partition management

roles

semantic database analysis

set DSRM password

snapshot