[ActiveDir] Enterprise Domain Controllers group missing...
- We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Enterprise Domain Controllers group missing...
View Advanced Features Look in Foreign Security Principles that I recall? [EMAIL PROTECTED] wrote: - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I read that in another article as well...
http://groups.google.co.nz/group/microsoft.public.windows.server.active_directory/browse_thread/thread/37eb3a91907d3f4e/4173fe072f7269b9?lnk=st&q=The+Enterprise+Domain+Controllers+group+does+not+have+read+access+to+this+GPO&rnum=2&hl=en#4173fe072f7269b9
...but we have nothing under foreign security princpals which matches the
SID we are after. Does anyone know how to create a group that uses a well
known SID or how this group is created initially so we can repeat the
process?
Thanks,
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | "Susan Bradley, CPA aka|
| | Ebitz - SBS Rocks |
| | [MVP]" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 03:16 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>--|
|
|
|To: ActiveDir@mail.activedir.org
|
|cc:
|
| Subject: Re: [ActiveDir] Enterprise Domain Controllers group
missing... |
>--|
View Advanced Features
Look in Foreign Security Principles that I recall?
[EMAIL PROTECTED] wrote:
> - We recently upgraded the schema in one forest from Windows 2000 to
> Windows 2003.
>
> - We now receive the following error when trying to access group
policies,
> "The Enterprise Domain Controllers group does not have read access to
this
> GPO. The Enterprise Domain Controllers group must have read access on all
> GPO's in the domain in order for Group Policy Modelling to function
> properly. To learn more about this issue and how you can correct it,
click
> Help.".
>
> - I can confirm we do not have an "Enterprise Domain Controllers" group
in
> any of the domains.
>
> - I have found the following article "
>
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true
> " which shows how to fix the GPO issue using
> "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the
> group "Enterprise Domain Controllers" available. From further reading I
> see this group has a specific SID of S-1-5-9 so I can not simply create a
> new group.
>
> - Does anyone have any idea how the group "Enterprise Domain Controllers"
> can be recreated with the correct SID of S-1-5-9 so that we can run the
> script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem?
>
> Thanks in advance,
>
> Matt Duguid
> Systems Engineer for Identity Services
> Department of Internal Affairs
>
> Phone: +64 4 4748028 (wellington)
> Mobile: +64 21 1713290
> Fax: +64 4 4748894
> Address: Level 4, 47 Boulcott Street, Wellington CBD
> E-mail: [EMAIL PROTECTED]
> Web: http://www.dia.govt.nz/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
>>>I can confirm we do not have an "Enterprise Domain Controllers" group in any >>>of the domains. Really? How did you confirm that? In ADUC (with "Advanced Features" enabled in View) and doing a custom search for "enterprise", simply looking in the "Foreign Security Principals" containers? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of "Windows Authorization Access group" after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
;-)yip sure did..sorry I should have elaborated further Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | "Akomolafe, Deji" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:26 p.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--| | | |To: | |cc: | | Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >--| >>>I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. Really? How did you confirm that? In ADUC (with "Advanced Features" enabled in View) and doing a custom search for "enterprise", simply looking in the "Foreign Security Principals" containers? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Awesome thanks will check it out... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | Steve Linehan | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:17 p.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--| | | |To: "ActiveDir@mail.activedir.org" | |cc: | | Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >--| You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Well then, someone fat-fingered it. Run forestprep again, and if that doesn't work, it's time to talk to the likes of Steve in private :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... ;-)yip sure did..sorry I should have elaborated further Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | "Akomolafe, Deji" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:26 p.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--| | | |To: | |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >--| >>>I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. Really? How did you confirm that? In ADUC (with "Advanced Features" enabled in View) and doing a custom search for "enterprise", simply looking in the "Foreign Security Principals" containers? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx Lis
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | Steve Linehan | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--| | | |To: "ActiveDir@mail.activedir.org" | |cc: | | Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >--| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of "Windows Authorization Access group" after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile:
RE: [ActiveDir] Enterprise Domain Controllers group missing...
>>> Its not viewable/searchable under ADUC even with advanced features turned
>>> on
That is an incorrect statement.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.
Cheers everyone for your assistance... ;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | Steve Linehan |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 03:33 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>--|
|
|
|To: "ActiveDir@mail.activedir.org"
|
|cc:
|
| Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>--|
Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade. You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
You have to upgrade or install one of the servers in each domain to Windows
Server 2003 and then transfer the PDC Emulator role to the upgraded or
added Windows Server 2003 box. When a Windows Server 2003 box takes over
the PDC Emulator FSMO role it will create these new security principals.
This is documented under the section titled "Windows Server 2003 Well Known
Security Principals" in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx
.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...
- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.
- We now receive the following error when trying to access group policies,
"The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help.".
- I can confirm we do not have an "Enterprise Domain Controllers" group in
any of the domains.
- I have found the following article "
http://technet2.microsoft.com/WindowsServer/en/library/b44b
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Then correct it so people can learn rather than simply point out that its
wrong which really gets no one anywhere...
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | "Akomolafe, Deji" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 07:12 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>--|
|
|
|To:
|
|cc:
|
| Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>--|
>>> Its not viewable/searchable under ADUC even with advanced features
turned on
That is an incorrect statement.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.
Cheers everyone for your assistance... ;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | Steve Linehan |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 03:33 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>--|
|
|
|To: "ActiveDir@mail.activedir.org"
|
| cc:
|
| Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>--|
Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade. You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Dom
RE: [ActiveDir] Enterprise Domain Controllers group missing...
I already did. But since you missed this, how about
http://www.akomolafe.com/Portals/1/EDC.jpeg?
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 10:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Then correct it so people can learn rather than simply point out that its
wrong which really gets no one anywhere...
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | "Akomolafe, Deji" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 07:12 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>--|
|
|
|To:
|
|cc:
|
| Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>--|
>>> Its not viewable/searchable under ADUC even with advanced features
turned on
That is an incorrect statement.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.
Cheers everyone for your assistance... ;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | Steve Linehan |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 03:33 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>--|
|
|
|To: "ActiveDir@mail.activedir.org"
|
| cc:
|
| Subjec
Re: [ActiveDir] Enterprise Domain Controllers group missing...
Now granted my "picture is worth a thousand words" may not be accurate
since I also have the Kitchen sink service running...
fwiw that's what mine looks like... http://www.sbslinks.com/aduc.htm
[EMAIL PROTECTED] wrote:
Then correct it so people can learn rather than simply point out that its
wrong which really gets no one anywhere...
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | "Akomolafe, Deji" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 07:12 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>--|
|
|
|To:
|
|cc:
|
| Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>--|
Its not viewable/searchable under ADUC even with advanced features
turned on
That is an incorrect statement.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.
Cheers everyone for your assistance... ;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | Steve Linehan |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 03:33 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
--|
|
|
|To: "ActiveDir@mail.activedir.org"
|
| cc:
|
| Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
--|
Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade. You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.
Thank
RE: [ActiveDir] Enterprise Domain Controllers group missing...
I believe SteveL may have already suggested that this group is only available post w2k, and only after the PDC in the domain has been upgraded. Further info here: http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0 5-b919-c9311bafae351033.mspx?mfr=true neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 November 2006 05:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | Steve Linehan | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--- ---| | | |To: "ActiveDir@mail.activedir.org" | |cc: | | Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >--- ---| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of "Windows Authorization Access group" after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed b-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4be e-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "E
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Neil, You responded to the thread where Steve already corrected himself. Read the doc you cited again. Only the EDC membership changes during the process you described. EDC itself is NOT created at this point. It is merely made a member of the newly-created "Windows Authorization Access" group. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Wed 11/22/2006 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... I believe SteveL may have already suggested that this group is only available post w2k, and only after the PDC in the domain has been upgraded. Further info here: http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0 5-b919-c9311bafae351033.mspx?mfr=true neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 November 2006 05:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | Steve Linehan | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--- ---| | | |To: "ActiveDir@mail.activedir.org" | |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >--- ---| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of "Windows Authorization Access group" after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed b-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers gro
Re: [ActiveDir] Enterprise Domain Controllers group missing...
I imagine you used the version of ADPREP that ships with Windows Server 2003 SP1? I believe you need to run ADPREP /DOMAINPREP /GPPREP. This will add the inheritable ACEs to CN=Policies,CN=System,DC=... Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited ACE. Re. EDCs. ENTERPRISE_DOMAIN_CONTROLLERS Security Principal is available with Windows 2000. The new Security Principals added by 2003 are: . LocalService . NetworkService . NTLM Authentication . Other Organization . Remote Interactive Logon . SChannel Authentication . This Organization These group memberships are also modified: . The Network Servers group is added to the Performance Monitoring Users group. . The Enterprise Domain Controllers group is added to the Windows Authorization Access group. See the link from Steve for more info. on this. 2003 RTM added new Sec Prins. 2003 SP1 also added some, IIRC. Therefore ensure your PDCe is running k3 SP1. --Paul - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Wednesday, November 22, 2006 2:04 AM Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Enterprise Domain Controllers group missing...
Mistyped the Inherited/ inherit ACE flags there, but you get my point -kind of makes sense in English. I'm guessing, as I'm not in a position to test, that perhaps GPPREP adds the necessary ACE(s) to the aforementioned container, resulting in an ACE set with the INHERIT flag, which means that child objects will inherit this ACE (unless NO_PROPOGATE is set, which is isn't). --Paul - Original Message - From: "Paul Williams" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 22, 2006 10:31 AM Subject: Re: [ActiveDir] Enterprise Domain Controllers group missing... I imagine you used the version of ADPREP that ships with Windows Server 2003 SP1? I believe you need to run ADPREP /DOMAINPREP /GPPREP. This will add the inheritable ACEs to CN=Policies,CN=System,DC=... Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited ACE. Re. EDCs. ENTERPRISE_DOMAIN_CONTROLLERS Security Principal is available with Windows 2000. The new Security Principals added by 2003 are: . LocalService . NetworkService . NTLM Authentication . Other Organization . Remote Interactive Logon . SChannel Authentication . This Organization These group memberships are also modified: . The Network Servers group is added to the Performance Monitoring Users group. . The Enterprise Domain Controllers group is added to the Windows Authorization Access group. See the link from Steve for more info. on this. 2003 RTM added new Sec Prins. 2003 SP1 also added some, IIRC. Therefore ensure your PDCe is running k3 SP1. --Paul - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Wednesday, November 22, 2006 2:04 AM Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO issue using "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the group "Enterprise Domain Controllers" available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group "Enterprise Domain Controllers" can be recreated with the correct SID of S-1-5-9 so that we can run the script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Thanks, I'll get my coat ... :) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: 22 November 2006 09:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Neil, You responded to the thread where Steve already corrected himself. Read the doc you cited again. Only the EDC membership changes during the process you described. EDC itself is NOT created at this point. It is merely made a member of the newly-created "Windows Authorization Access" group. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com http://www.akomolafe.com> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: [EMAIL PROTECTED] Sent: Wed 11/22/2006 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... I believe SteveL may have already suggested that this group is only available post w2k, and only after the PDC in the domain has been upgraded. Further info here: http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0 5-b919-c9311bafae351033.mspx?mfr=true neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 November 2006 05:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | Steve Linehan | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--- ---| | | |To: "ActiveDir@mail.activedir.org" | | cc: | | Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >--- ---| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of "Windows Authorization Access group" after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed b-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: A
RE: [ActiveDir] Enterprise Domain Controllers group missing...
>>>>>> Its not viewable/searchable under ADUC even with advanced features
turned on
>>> That is an incorrect statement.
Maybe... maybe not... Unless you have actually looked at that directory
instance you cannot possibly know for sure. You can expect it should follow
a certain pattern you have perceived in the past, but you can't be 100% sure
it is the case for every instance. I can show a bitmap right now that shows
that group doesn't exist in FSPs... All that proves is that my test
directory doesn't have it and your test directory does have it.
Enterprise Domain Controllers is a well known security principal, it lives
initially in the configuration container with other well known security
principals in the WellKnown Security Principals container. That
container isn't viewable from ADUC... It doesn't become something you can
view as an actual object in ADUC until it gets added to a group in a domain
NC - specifically/usually the group Windows Authorization Access Group. Even
if added, someone could delete it and then something has to re-add the Well
Known Security Principal to a group again to get the FSP to be created and
add it to the Authorization Access Group for things to be right.
Also note that if someone is looking for the name of the group, like they
would with any normal regular group, that will obviously fail because the
name in the domain NC is a SID, not the group name.
This isn't a normal case, it is a very specific special implementation.
There are special little implementation details all throughout AD that you
don't know about until you actually encounter them. I would not be suprised
by even experienced admins to be tripped up on this one. It isn't worth
really knowing about unless you have had a reason to have to know about it.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Wednesday, November 22, 2006 1:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
>>> Its not viewable/searchable under ADUC even with advanced features
turned on
That is an incorrect statement.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
http://www.akomolafe.com> www.akomolafe.com - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
_
From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.
Cheers everyone for your assistance... ;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | Steve Linehan |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 03:33 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>---
---|
|
|
|To: "ActiveDir@mail.activedir.org"
|
|cc:
|
|Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>---
---|
Sorry read and responded to this to fast you should
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Pub time already. Phew this day went by fast! Let's go!
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 6:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Thanks, I'll get my coat ...
:)
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: 22 November 2006 09:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Neil,
You responded to the thread where Steve already corrected himself. Read the
doc you cited again. Only the EDC membership changes during the process you
described. EDC itself is NOT created at this point. It is merely made a
member of the newly-created "Windows Authorization Access" group.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
http://www.akomolafe.com> www.akomolafe.com - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
_
From: [EMAIL PROTECTED]
Sent: Wed 11/22/2006 1:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
I believe SteveL may have already suggested that this group is only
available post w2k, and only after the PDC in the domain has been
upgraded. Further info here:
http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0
5-b919-c9311bafae351033.mspx?mfr=true
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 22 November 2006 05:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.
Cheers everyone for your assistance... ;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | Steve Linehan |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 03:33 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>---
---|
|
|
|To: "ActiveDir@mail.activedir.org"
|
|cc:
|
|Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>---
---|
Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade. You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
You have to upgrade or install one of the servers in each domain to
Windows Server 2003 and then transfer the PDC Emulator role to the
upgraded or added Windows Server 2003 box. When a Windows Server 2003
box takes over the PDC Emula
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Just for future reference the easiest way to identify where an object is if you have a SID is to use adfind with the -binenc option: adfind -binenc -b dc=FOO,dc=BAR -f objectSID=S-1-5-9 You'll find the full path to the object under >objectCategory: While the binenc option isn't strictly needed for this example, as well known security principals apparently don't need to be encoded, it does not hurt and it's a good habit to get into because you WILL need it for many SID searches =) Thanks, Andrew Fidel [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/22/2006 12:35 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+--> | | | | | | | | | | | Steve Linehan | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+--> >--| | | |To: "ActiveDir@mail.activedir.org" | |cc: | | Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | >--| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of "Windows Authorization Access group" after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled "Windows Server 2003 Well Known Security Principals" in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, "The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.". - I can confirm we do not have an "Enterprise Domain Controllers" group in any of the domains. - I have found the following article " http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true " which shows how to fix the GPO is
RE: [ActiveDir] Enterprise Domain Controllers group missing...
If querying objectsid in K3 or ADAM you don't need -binenc, even for
non-well knowns. :)
Any other SID field though will require it that I am aware of.
The quickest way to find a SID in objectsid or sidhistory with adfind is
through the adsid shortcut like so
adfind -sc adsid:s-1-5-9
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Just for future reference the easiest way to identify where an object is if
you have a SID is to use adfind with the -binenc option:
adfind -binenc -b dc=FOO,dc=BAR -f objectSID=S-1-5-9
You'll find the full path to the object under >objectCategory:
While the binenc option isn't strictly needed for this example, as well
known security principals apparently don't need to be encoded, it does not
hurt and it's a good habit to get into because you WILL need it for many SID
searches =)
Thanks,
Andrew Fidel
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
11/22/2006 12:35 AM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.
Cheers everyone for your assistance... ;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|-+-->
| | |
| | |
| | |
| | Steve Linehan |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org|
| | |
| | |
| | 22/11/2006 03:33 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|-+-->
>---
---|
|
|
|To: "ActiveDir@mail.activedir.org"
|
| cc:
|
| Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>---
---|
Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade. You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
You have to upgrade or install one of the servers in each domain to Windows
Server 2003 and then transfer the PDC Emulator role to the upgraded or
added Windows Server 2003 box. When a Windows Server 2003 box takes over
the PDC Emulator FSMO role it will create these new security principals.
This is documented under the section titled "Windows Server 2003 Well Known
Security Principals" in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2
f4-d5794d31c2a71033.mspx
.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...
- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.
- We now receive the following error when trying to access group policies,
"The Enterprise Domain Controllers gro
