COMMAND

    kernel (LookupAccountName)

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Frank Heyne found following.  He found another badly designed  Win
    API function.   In some cases,  LookupAccountName returns a  wrong
    SID by design.  From the API docu:

        "The LookupAccountName function accepts  the name of a  system
        and an account  as input. It  retrieves a security  identifier
        (SID) for the account and the name of the domain on which  the
        account was found.
        ...

        The  LookupAccountName  function  attempts  to find a security
        identifier for the specified name by first checking a list  of
        well-known SIDs."

    This design produces wrong results  in all versions of Windows  NT
    if the name of the user  account matches the name of a  well-known
    SID.   (These  names  differ,  depending  of the language specific
    version of NT, so  they are not well  known to every admin  around
    the  world,  btw.)   But  NT  does  allow  to create such accounts
    without a warning, and there are absolutely no problems using such
    accounts.   An account  defined by  admin is  always related  to a
    machine or a domain, a well-known SID defined by Microsoft is not,
    it is  BUILTIN in  ALL NT  installations instead.   So a  properly
    designed function LookupAccountName could just check the  provided
    name of the system to decide whether it should return a well-known
    SID or not.

SOLUTION

    Nothing yet.