I've encountered some odd issues with the 'Run as Administrator' function on two of my servers. After some troubleshooting, it seems that the local Administrators group has been deleted and replaced with a new group that has a regular SID (S-1-5-21-*), instead of the original built-in SID (S-1-5-32-544). I've attempted a few methods to restore it, including using `secedit` to try and fix things, but even after deleting the local Administrators group and running the command `secedit /configure /cfg %windir%infdefltbase.inf /db defltbase.sdb /verbose`, rebooting hasn't returned the correct SID. I'm looking for ways to recreate the built-in Administrators group properly. Any advice or insights would be greatly appreciated!
4 Answers
That’s a tricky situation! I honestly wouldn't have guessed it could happen either. Your best bet might be to consider rebuilding the server or checking older snapshots you have.
Have you double-checked to see if the group hasn’t just been renamed? You can do this by querying it through the SID. Sometimes it might not be exactly what it seems.
Unfortunately, you can’t restore the built-in local Administrators group (S-1-5-32-544) once it’s deleted like that. The OS creates this SID, and if it’s replaced by a normal local or domain group (S-1-5-21-*), there’s no supported method to revert to the original SID. Tools like `secedit` or `net localgroup` won’t help since they won’t recreate well-known SIDs. Your best bet is to either do an in-place repair upgrade of Windows or just rebuild the server. If these are Domain Controllers, rebuilding is often the safer route since those SIDs are tied to many security assumptions.
I’m puzzled about how the Administrators group got deleted in the first place since the system usually protects that group. Some potential reasons could be a Group Policy Preference setting aimed at the Administrators group, bypassing of system protections by someone executing bizarre commands, or maybe a corruption in the SAM database. I wouldn’t trust those systems as they are; wiping and reinstalling might be your best move. The only reason left to keep working on this would be pure curiosity.
Yeah, I completely agree. With that level of issues, it’s vital to investigate whether there’s been some foul play making things go haywire.
I have a feeling it’s definitely a Group Policy issue. It's strange enough to want to get to the bottom of it before assuming it’s just a bad software problem.