RE: [ActiveDir] Query on Security Groups

joe Sat, 29 Jul 2006 14:05:54 -0700

The builtin groups kept in the builtin container are some of groups/security principals with SIDs that do not have domain/machine affinity (see below). I cannot think of any real reason for Microsoft to segregate them like that other than for logical separation.

G:\>adfind -default -rb cn=builtin objectsid

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

Using server: r2dc2.test.loc:389
Directory: Windows Server 2003
Base DN: cn=builtin,DC=test,DC=loc

dn:CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32

dn:CN=Remote Desktop Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-555

dn:CN=Network Configuration Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-556

dn:CN=Performance Monitor Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-558

dn:CN=Performance Log Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-559

dn:CN=Distributed COM Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-562

dn:CN=Incoming Forest Trust Builders,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-557

dn:CN=Terminal Server License Servers,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-561

dn:CN=Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-545

dn:CN=Guests,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-546

dn:CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-554

dn:CN=Windows Authorization Access Group,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-560

dn:CN=Print Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-550

dn:CN=Account Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-548

dn:CN=Administrators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-544

dn:CN=Replicator,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-552

dn:CN=Server Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-549

dn:CN=Backup Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-551

18 Objects returned

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Thursday, July 27, 2006 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Query on Security Groups

I was just curious what the different security groups were in each container, wondered if the users container was the default for users, why have various security groups in there as well. Why not have them all residing in the one container.

Thanks for responding

Al Mulnick <[EMAIL PROTECTED]> wrote:

Interesting....

CN=Users = default container for users

CN=Builtin = default container for builtin objects such as administrators.

IIRC.

Domain Admins vs. Administrators? It's a toss up because either can become the other. By default however, domain admins has rights to more objects because by default the domain admins has the ability to edit GPO and is added to the member wkstns and server administrators group on joining the domain.

What makes you ask?

On 7/27/06, Frank Abagnale <[EMAIL PROTECTED]> wrote:

Hi,

I have two queries:

1. What is the difference between the Users Container and Builtin Container off the root of AD. What do the different groups do?

2. What is the difference between the Administrators group and the Domain Admins group. which has higher permissions within the forest?

thanks

Frank

Do you Yahoo!?
Get on board. You're invited to try the new Yahoo! Mail Beta.

Do you Yahoo!?
Get on board. You're invited to try the new Yahoo! Mail Beta.

RE: [ActiveDir] Query on Security Groups

Reply via email to