Pub time already. Phew this day went by fast! Let's go! -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Thanks, I'll get my coat ... :) _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: 22 November 2006 09:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Neil, You responded to the thread where Steve already corrected himself. Read the doc you cited again. Only the EDC membership changes during the process you described. EDC itself is NOT created at this point. It is merely made a member of the newly-created "Windows Authorization Access" group. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services <x-excid://32770000/uri:http://www.akomolafe.com> www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: [EMAIL PROTECTED] Sent: Wed 11/22/2006 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... I believe SteveL may have already suggested that this group is only available post w2k, and only after the PDC in the domain has been upgraded. Further info here: http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0 5-b919-c9311bafae351033.mspx?mfr=true neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 November 2006 05:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |---------+----------------------------------> | | | | | | | | | | | Steve Linehan | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |---------+----------------------------------> >----------------------------------------------------------------------- ---------------------------------------| | | | To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org> | | cc: | | Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >----------------------------------------------------------------------- ---------------------------------------| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of "Windows Authorization Access group" after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve ________________________________________ From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed b-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve ________________________________________ From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4be e-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.