![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 31%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello Joe,
Thank you for posting question on Microsoft Windows Forum.
Based on your issue description, The problem you are experiencing is highly likely caused by a custom Group Policy Object (GPO). When your predecessor recreated the network, they likely created a new GPO to apply security settings and, in doing so, accidentally included references to user groups from the old, now-deleted domain. The potential causes as followings.
- Your predecessor created a new GPO and likely added the "Domain Users" group from the old domain to the "Allow log on locally" policy.
- When that old domain was destroyed, its SID became invalid.
- In your new domain, Windows sees this old SID in the GPO but cannot resolve it to a known name. It therefore displays it as an "unidentified SID."
- Because this policy is enforced, it overwrites the local settings on your client machines, removing the new "Domain Users" group and adding the old, invalid one, thus blocking logins.
Based on the above possible causes, you can try the following suggested troubleshooting steps.
1.Run Group Policy Results on an Affected PC.
- On one of the Windows 11 computers after the problem has reappeared (i.e., the power options are missing), run the following command from an administrative Command Prompt or PowerShell:
- gpresult /h gpreport.html
- This command generates a detailed HTML report named gpreport.html in the current directory.
2.Analyzing the gpreport.html file.
- Navigate to the Computer Details section.
- Go to Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment.
- Look for the following two policies:
- Allow log on locally
- Shut down the system
- For each of these policies, the report will show you a list of the applied settings and, most importantly, the name of the Winning GPO. This is the GPO that might cause your problem.
3.Verify the Winning GPO.
- Once you have identified the name of the offending GPO from the report:
- On your Windows Server 2022 domain controller, open the Group Policy Management Console (you can search for gpmc.msc).
- Find the GPO you identified in Step 2, right-click it, and select Edit.
- In the Group Policy Management Editor, navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
- Check the Logon Policy:
- Find and double-click the "Allow log on locally" policy.
- You will likely see the "Account Unknown" or unidentified SID. Remove it.
- Ensure that necessary groups for your new domain, such as Administrators and Domain Users, are present. If not, add them.
- Check the Shutdown Policy:
- Find and double-click the "Shut down the system" policy.
- By default, this right is granted to Administrators and Users. Ensure the Users group (or Domain Users) is listed here. If it's missing, users won't see the shutdown/restart options. Add it back.
Hope the above information is helpful!