I'm not in a position to test whether this is a forest-wide or domain-wide
principal.
However, when you can't find something you think should be there, you should
search the GC. I've seen numerous people have issues with a user or group
"not existing" only to find it's in a parent domain.
Use ADFIND or LDP to search the GC.
Also, what are the actual permissions you are seeing and where?
--Paul
----- Original Message -----
From: "Han Valk" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Thursday, August 17, 2006 10:24 AM
Subject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
First forgive my ignorance, I didn't that the group should only exist in
the
forest root domain. But how is it possible that CHILDDOMAIN\Incoming
Forest
Trust Builders has permissions on the child domain in ADUC when there
shouldn't be a CHILDDOMAIN\Incoming Forest Trust Builders?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 19:37
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders
Its only in the forest domain IIRC ;-)
M@
On 8/14/06, Han Valk <[EMAIL PROTECTED]> wrote:
No??? Child domain.
> -----Original Message-----
> From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Matheesha Weerasinghe
> Sent: Monday, August 14, 2006 17:38
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
> Trust Builders
>
> By the way you are looking for this on the forest root right?
>
> M@
>
>
> On 8/14/06, Han Valk <[EMAIL PROTECTED]> wrote:
>
> Yep logged in as Domain Admin.
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED] >
> > [mailto:[EMAIL PROTECTED]
On Behalf Of
> > Matheesha Weerasinghe
> > Sent: Monday, August 14, 2006 13:00
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Recreate
BUILTIN\Incoming Forest
> > Trust Builders
> >
> > I am wondering if there are ACLs defined on
the group itself
> > or the OU above to prevent you from seen it.
Do you see it as
> > the Administrator account of the domain?
> >
> > M@
> >
> >
> > On 8/14/06, Han Valk < [EMAIL PROTECTED]
> <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > > wrote:
> >
> > Problem is I don't see it anymore in the BUILTIN
> > container. Strange thing is
> > that if I look at the security of the
domain object in
> > ADUC Incoming Forest
> > Trust Builders is there.
> >
> > > -----Original Message-----
> > > From:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> > > [mailto: [EMAIL PROTECTED]
> > <mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > ] On Behalf Of
> > > Matheesha Weerasinghe
> > > Sent: Monday, August 14, 2006 10:22
> > > To: ActiveDir@mail.activedir.org
<mailto:ActiveDir@mail.activedir.org>
> > > Subject: Re: [ActiveDir] Recreate
> BUILTIN\Incoming Forest
> > > Trust Builders
> > >
> > > I dont think so. objectsid attribute
is a systemonly
> > > attribute. Personally I am impressed
of that "smart
> > > co-worker" that managed to delete it.
> According to the AD
> > > Delegation appendices
> > >
> >
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba
> >
e88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en >
> >
> <http://www.microsoft.com/downloads/details.aspx?FamilyID=29db
> >
ae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en> its
> > not > possible to move
> > delete rename this group.
> > >
> > > May be he exploited the dynamic objects
> feature in Windows
> > > 2003 RTM?
> > >
> >
>
http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx
> > >
> > >
> > > M@
> > >
> > >
> > >
> > > On 8/14/06, Han Valk <
[EMAIL PROTECTED]> wrote:
> > >
> > > Hi,
> > >
> > > A smart co-worker deleted the
> BUILTIN\Incoming Forest
> > > Trust Builders group.
> > > Is it possible to recreate this group
> with the same
> > > well known SID?
> > > Authoritative restore is out of
the question,
> > > deletetion is too long ago.
> > >
> > > Han Valk.
> > > List info :
> http://www.activedir.org/List.aspx
> <http://www.activedir.org/List.aspx>
> > > List FAQ :
> http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> http://www.activedir.org/ml/threads.aspx
> <http://www.activedir.org/ml/threads.aspx>
> > >
> > >
> > >
> > >
> > List info : http://www.activedir.org/List.aspx
> > <http://www.activedir.org/List.aspx >
> > List FAQ :
http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.activedir.org/ml/threads.aspx
<http://www.activedir.org/ml/threads.aspx>
> >
> >
> >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
