On SOME of our domain hosts ONLY, when a process running on machine under
the system account (during a boot-time GPO) asks the DC for the SID for the
computer's account (i.e., DOMAIN\HOSTNAME$) using the LookupAccountName()
API, this fails with error 5, i.e. "Access Denied"...
(FWIW this LookupAccountName() call actually occurs within the invocation of
SETACL.EXE)
Any clue?
If the answer is to switch to LsaLookupNames2(), where can I find sample C++
code to use that API (I'm especially worried about the "Policy Handle"
stuff...)