both "NTLM Authentication" and "This Organization" are so called well-known-security principals. They are added dynamically to the token of a user when the users authenticate in their domain or accross a trust.
However, they're not groups that you can read any memberships from like you can with other groups in AD. As such you can either leverage the security eventlogs to check for NTLM and Kerberos authentication events (preferred approach), or you can query the user's token (e.g. by using sectok from www.joeware.com) for the respective security principal and do your reporting this way. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Freitag, 3. März 2006 15:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] "NTLM Authentication" Security Principal I have an interest in finding out how many of the users in our primary forest are authenticating via NTLM instead of Kerberos. I know that in Windows 2003 there is a new well-known security principal called "NTLM Authentication" which dynamically contains the list of people who authenticated via NTLM. My question is, does anyone know how to query this security principal so I could get that list of people? Even if it's an ever-changing list, a snapshot at different times would be useful to see volumes. I was thinking of comparing that list to the "This Organization" security principal so I could tell what % of authentication were NTLM. If there's another way to do this, I'm open to suggestions as well. Thanks in advance for any comments. Scott List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
