RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
First forgive my ignorance, I didn't that the group should only exist in the forest root domain. But how is it possible that CHILDDOMAIN\Incoming Forest Trust Builders has permissions on the child domain in ADUC when there shouldn't be a CHILDDOMAIN\Incoming Forest Trust Builders? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 19:37 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders Its only in the forest domain IIRC ;-) M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: No??? Child domain. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I'm not in a position to test whether this is a forest-wide or domain-wide principal. However, when you can't find something you think should be there, you should search the GC. I've seen numerous people have issues with a user or group not existing only to find it's in a parent domain. Use ADFIND or LDP to search the GC. Also, what are the actual permissions you are seeing and where? --Paul - Original Message - From: Han Valk [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 17, 2006 10:24 AM Subject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders First forgive my ignorance, I didn't that the group should only exist in the forest root domain. But how is it possible that CHILDDOMAIN\Incoming Forest Trust Builders has permissions on the child domain in ADUC when there shouldn't be a CHILDDOMAIN\Incoming Forest Trust Builders? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 19:37 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders Its only in the forest domain IIRC ;-) M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: No??? Child domain. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I'm not in a position to properly prove-out the existence and/or reason for the child domain ACEs. However, the Incoming Forest Trust Builders group uses a well-known SID of S-1-5-32-557, this kind of SID lacks domain affiliation, i.e. it doesn't technically belong to any particular domain within the forest and is subsequently deemed as mine by any DC attempting to resolve it regardless of the domain they're in. Note that the same is true to say of Administrators, for example - review the ACL on the NC head of the ForestDNSzones partition when focused on a DC/DNS server in the forest root domain, re-read the same ACL when focused on a DC in a peer-root or child-domain ... note the claimed affiliation of the Administrators ACE. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Han Valk Sent: Thursday, August 17, 2006 5:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders First forgive my ignorance, I didn't that the group should only exist in the forest root domain. But how is it possible that CHILDDOMAIN\Incoming Forest Trust Builders has permissions on the child domain in ADUC when there shouldn't be a CHILDDOMAIN\Incoming Forest Trust Builders? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 19:37 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders Its only in the forest domain IIRC ;-) M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: No??? Child domain. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx
[ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi,A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group.Is it possible to recreate this group with the same well known SID?Authoritative restore is out of the question, deletetion is too long ago. Han Valk.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
Maybe the user moved it to another OU? Have you done a full forest search for the account? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Han Valk Sent: 14 August 2006 12:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Disclaimer: The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it. Confidentiality: The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED] Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
It should not be possible to move that group. I did a search but did not find it -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, August 14, 2006 12:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders Maybe the user moved it to another OU? Have you done a full forest search for the account? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Han Valk Sent: 14 August 2006 12:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Disclaimer: The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it. Confidentiality: The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED] Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing isthat if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I dont think it can be moved. MS documentation suggests it cannot be. M@ On 8/14/06, Peter Johnson [EMAIL PROTECTED] wrote: Maybe the user moved it to another OU? Have you done a full forestsearch for the account?-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Han Valk Sent: 14 August 2006 12:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust BuildersProblem is I don't see it anymore in the BUILTIN container. Strange thing isthat if I look at the security of the domain object in ADUC IncomingForestTrust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible tomovedelete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxDisclaimer:The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it. Confidentiality:The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED] .Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I also meant to view as Administrator. Not an account with domain admin rights. There are subtle differences in certain scenarios. I wasassuming the ACLs on the object or the parent are possibly preventing you from viewing the object. But I doubt its the case. You arent using the list object (LO)right are you? M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I havent read the entire thread which has happened, but IF you managed to delete it, ping me offline and I can help you recreate it. But I would be totally sure it is gone first.a database dump sounds like a fine way to confirm. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 8:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I also meant to view as Administrator. Not an account with domain admin rights. There are subtle differences in certain scenarios. I wasassuming the ACLs on the object or the parent are possibly preventing you from viewing the object. But I doubt its the case. You arent using the list object (LO)right are you? M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
No??? Child domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
Its only in the forest domain IIRC ;-) M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: No??? Child domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@On 8/14/06, Han Valk [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there.-Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM?http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
In light of the last post I've seen in this thread, are you absolutely sure the account was deleted? I'm skeptical since you seem quite certain that the deletion occurred in a child domain where this particular security principal does NOT exist. Can you clarify the means by which the group was deleted, it may assist in understanding what's going on here? -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Han Valk Sent: Monday, August 14, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
