This article will be useful for those in need of restoring access to DeviceLock Service, in case DeviceLock administrators accounts once added into DeviceLock Administrators list with either Full access or Change permissions are not available anymore.

Introduction

In addition to a user/group name, DeviceLock policies also store information about the Security Identifier (SID) of each user/group listed in the permissions, hence, the authorization process in DeviceLock Service is based on these two values: user/group account name and its SID.

As a matter of fact, on different computers (speaking about local users and groups) or in different domains, user and group accounts may have the same name, but their SIDs will always vary (except for the built-in local accounts with well-known SIDs). Thus, a user with the same username from a different domain won't be able to authorize on DeviceLock Service due to SIDs' mismatch.

As a result, after migration to a new domain, or after deleting the existing DeviceLock Administrators accounts from AD and creating new ones with the same name, there will be SID mismatch and such accounts won't be recognized by DeviceLock Service, making any further usage of DeviceLock Service under these accounts impossible.

Solution

For the instructions on available methods to restore access to DeviceLock Service, please submit a new support case.