When attempting to open the SESC console the following error message is displayed and the console is not opened:
You either have insufficient permissions to access this application or your user credentials are not refreshed.
Try logging off and logging in again to reload the user credentials.
Conditions
1. On the SESC computer open a powershell command prompt.
2. Paste the following code into the powershell window and hit Enter to run it:
$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$groups = $windowsIdentity.Groups
foreach ($group in $groups)
{
try
{
$group.Translate([System.Security.Principal.NTAccount])
}
catch
{
Write-Host "Error trying to translate SID: "
$group | fl
$_.Exception.Message
}
}
The output looks like this when some of the SIDS fail to resolve to group names:
Value
-----
SESC\None
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+ $group.Translate <<<< ([System.Security.Principal.NTAccount])
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+ $group.Translate <<<< ([System.Security.Principal.NTAccount])
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+ $group.Translate <<<< ([System.Security.Principal.NTAccount])
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
In the example above all the local group names are resolved. However none of the domain group names are resolved.
The SESC console obtains the set of groups the user is part of. The group information consists of Windows SIDS. SECS then attempts to convert each SID into a group name. If the conversion fails the error message is shown.
This issue must be resolved within Active Directory.
Here are some ideas:
Fixing the root cause may require use of ADSI edit to fix the broken SID, or delete the broken SID. Because this process can have substantial impact on domain operations Symantec recommends contacting Microsoft for assistance with this process, as we cannot guarantee the outcome of making changes in the domain.
Technical Information
The list of SIDs includes any groups within groups. For example, if the user is a member of "Domain Admins" and the "Domain Admins" group has been added to the "Schema Admins" group, the "Schema Admins" SID shows up in this list of SIDs associated with this user account as if the user was directly a member of "Schema Admins". The user is not necessarily directly a member of the group with the broken SID to NT name translation.
Applies To