The builtin groups kept in the builtin container are some
of groups/security principals with SIDs that do not have domain/machine affinity
(see below). I cannot think of any real reason for Microsoft to segregate
them like that other than for logical
separation.
G:\>adfind -default -rb cn=builtin
objectsid
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED])
March 2006
Using server: r2dc2.test.loc:389
Directory: Windows Server 2003
Base DN: cn=builtin,DC=test,DC=loc
Directory: Windows Server 2003
Base DN: cn=builtin,DC=test,DC=loc
dn:CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32
>objectSid: S-1-5-32
dn:CN=Remote Desktop
Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-555
>objectSid: S-1-5-32-555
dn:CN=Network Configuration
Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-556
>objectSid: S-1-5-32-556
dn:CN=Performance Monitor
Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-558
>objectSid: S-1-5-32-558
dn:CN=Performance Log
Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-559
>objectSid: S-1-5-32-559
dn:CN=Distributed COM
Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-562
>objectSid: S-1-5-32-562
dn:CN=Incoming Forest Trust
Builders,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-557
>objectSid: S-1-5-32-557
dn:CN=Terminal Server License
Servers,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-561
>objectSid: S-1-5-32-561
dn:CN=Users,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-545
>objectSid: S-1-5-32-545
dn:CN=Guests,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-546
>objectSid: S-1-5-32-546
dn:CN=Pre-Windows 2000 Compatible
Access,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-554
>objectSid: S-1-5-32-554
dn:CN=Windows Authorization Access
Group,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-560
>objectSid: S-1-5-32-560
dn:CN=Print
Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-550
>objectSid: S-1-5-32-550
dn:CN=Account
Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-548
>objectSid: S-1-5-32-548
dn:CN=Administrators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-544
>objectSid: S-1-5-32-544
dn:CN=Replicator,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-552
>objectSid: S-1-5-32-552
dn:CN=Server
Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-549
>objectSid: S-1-5-32-549
dn:CN=Backup
Operators,CN=Builtin,DC=test,DC=loc
>objectSid: S-1-5-32-551
>objectSid: S-1-5-32-551
18 Objects returned
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Thursday, July 27, 2006 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Query on Security Groups
I was just curious what the different security groups were in each
container, wondered if the users container was the default for users, why have
various security groups in there as well. Why not have them all residing in the
one container.
Thanks for responding
Al Mulnick <[EMAIL PROTECTED]> wrote:
Interesting....CN=Users = default container for usersCN=Builtin = default container for builtin objects such as administrators.IIRC.Domain Admins vs. Administrators? It's a toss up because either can become the other. By default however, domain admins has rights to more objects because by default the domain admins has the ability to edit GPO and is added to the member wkstns and server administrators group on joining the domain.
What makes you ask?
On 7/27/06, Frank Abagnale <[EMAIL PROTECTED]> wrote:Hi,I have two queries:1. What is the difference between the Users Container and Builtin Container off the root of AD. What do the different groups do?2. What is the difference between the Administrators group and the Domain Admins group. which has higher permissions within the forest?thanksFrank
Do you Yahoo!?
Get on board. You're invited to try the new Yahoo! Mail Beta.