To further Rick's (as usual) outstanding answer with more tech and detail
than most people care about but I feel longwinded right now and not wanting
to work on a perl script for work I am supposed to be working on.... Also
hopefully a work compatriot or two will read this and learn anything that I
may not have explained to them about this yet.
All Windows security is based on ACLs (Access Control Lists) which are
chains of ACEs (Access Control Entries) and in each ACE is a security
principal and some access masks defining the permissions granted/denied to
the security principal. The security principal is in the SID format... I.E.
S-1-5-Blah-Blah-Blah. It is NOT stored as a nice name. This is why you
sometimes see *unknown* for a bit when resolving security on something
because it is looking the stuff up from SIDS to nice names.
Well the SID for the administrators group is a special SID and has been
forever or at least as long as I have cared about it which is more important
<grin>. That is why it is called a BUILTIN group because it has this special
SID. That SID for administrators is S-1-5-32-544. Some other builtin SIDS
are:
S-1-5-32-544 - [Alias]: BUILTIN\Administrators
S-1-5-32-545 - [Alias]: BUILTIN\Users
S-1-5-32-546 - [Alias]: BUILTIN\Guests
S-1-5-32-547 - [Alias]: BUILTIN\Power Users
S-1-5-32-551 - [Alias]: BUILTIN\Backup Operators
S-1-5-32-552 - [Alias]: BUILTIN\Replicator
S-1-5-32-555 - [Alias]: BUILTIN\Remote Desktop Users
S-1-5-32-556 - [Alias]: BUILTIN\Network Configuration Operators
Some other fun ones which are similar are
S-1-5-1 - [WellKnownGroup]: NT AUTHORITY\DIALUP
S-1-5-2 - [WellKnownGroup]: NT AUTHORITY\NETWORK
S-1-5-3 - [WellKnownGroup]: NT AUTHORITY\BATCH
S-1-5-4 - [WellKnownGroup]: NT AUTHORITY\INTERACTIVE
S-1-5-6 - [WellKnownGroup]: NT AUTHORITY\SERVICE
S-1-5-7 - [WellKnownGroup]: NT AUTHORITY\ANONYMOUS LOGON
S-1-5-8 - [WellKnownGroup]: NT AUTHORITY\PROXY
S-1-5-9 - [WellKnownGroup]: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
S-1-5-10 - [WellKnownGroup]: NT AUTHORITY\SELF
S-1-5-11 - [WellKnownGroup]: NT AUTHORITY\Authenticated Users
S-1-5-12 - [WellKnownGroup]: NT AUTHORITY\RESTRICTED
S-1-5-13 - [WellKnownGroup]: NT AUTHORITY\TERMINAL SERVER USER
S-1-5-14 - [WellKnownGroup]: NT AUTHORITY\REMOTE INTERACTIVE LOGON
S-1-5-18 - [WellKnownGroup]: NT AUTHORITY\SYSTEM
S-1-5-19 - [WellKnownGroup]: NT AUTHORITY\LOCAL SERVICE
S-1-5-20 - [WellKnownGroup]: NT AUTHORITY\NETWORK SERVICE
S-1-5-32 - [Domain]: BUILTIN\BUILTIN
Oh yeah... Everyone is the SID S-1-1-0.
So now you have to ask yourself... If all ACEs are based on SIDs and these
*special* SIDs are the same on every system, how could you have any security
because if you added the SID for the administrators group of SYSTEMA onto
something, then the SID of the administrators group of SYSTEMB is the same
and so it can also access those resources on SYSTEMA.... Nope. MS protected
themselves from that by saying, these SIDS only have scope where the local
machine SAM database rules... So on member servers or workstations, it means
only available on that one machine. With Domains, under NT4 they shared the
SAM across all of the domain controllers of a single domain so these groups
are valid on all domain controllers. With Windows 200x and AD, they had to
keep the legacy functionality so there we go....
You never should have been able to set a domain's administrators group on an
ACE on a member server. In fact if you did, you would have effectively added
the member server's administrators group on the ACE of the member server.
Now you may have seen a tool or two that incorrectly displayed a SID of an
ACE that way, but by no means was it actually set up that way.
Oh, in case you want to play with resolving your own SIDs, here is the perl
script I whipped up just now to display this info easily... Note that you
can enter your machine/domain SID and the RIDS you want to loop through if
you would like to see the stuff in your domain or on your machine.
The script depends on my sidtoname utility which you can get at
www.joeware.net on the free win32 tools page as usual...
__START SCRIPT - GETSIDS.PL__
print "\nGetSids V01.00.00pl Joe Richards ([EMAIL PROTECTED]) December
2003\n\n";
@specialranges=("S-1-5","S-1-5-32");
($mysidstart,$myr1,$myr2)[EMAIL PROTECTED];
map {GetSids($_,1,1000)} @specialranges;
if ($mysidstart=~/\w/) {GetSids($mysidstart,($myr1 or 1),($myr2 or 2000))};
print "The Command Completed Successfully.\n\n";
sub GetSids
{
($start,$r1,$r2)[EMAIL PROTECTED];
if ($start!~/-$/) {$start.="-"};
for $i ($r1..$r2)
{
$cmd="sidtoname $start".$i;
print "$cmd \r";
@output=`$cmd 2>nul`;
@rc=grep(/\[/i,@output);
if ($rc[0]) {print $start.$i." - ".$rc[0]};
}
print " "x80,"\n---\n";
}
__END SCRIPT - GETSIDS.PL__
Ex1:
F:\Dev\cpp\SidToName>getsids.pl
GetSids V01.00.00pl Joe Richards ([EMAIL PROTECTED]) December 2003
S-1-5-1 - [WellKnownGroup]: NT AUTHORITY\DIALUP
S-1-5-2 - [WellKnownGroup]: NT AUTHORITY\NETWORK
S-1-5-3 - [WellKnownGroup]: NT AUTHORITY\BATCH
S-1-5-4 - [WellKnownGroup]: NT AUTHORITY\INTERACTIVE
S-1-5-6 - [WellKnownGroup]: NT AUTHORITY\SERVICE
S-1-5-7 - [WellKnownGroup]: NT AUTHORITY\ANONYMOUS LOGON
S-1-5-8 - [WellKnownGroup]: NT AUTHORITY\PROXY
S-1-5-9 - [WellKnownGroup]: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
S-1-5-10 - [WellKnownGroup]: NT AUTHORITY\SELF
S-1-5-11 - [WellKnownGroup]: NT AUTHORITY\Authenticated Users
S-1-5-12 - [WellKnownGroup]: NT AUTHORITY\RESTRICTED
S-1-5-13 - [WellKnownGroup]: NT AUTHORITY\TERMINAL SERVER USER
S-1-5-14 - [WellKnownGroup]: NT AUTHORITY\REMOTE INTERACTIVE LOGON
S-1-5-18 - [WellKnownGroup]: NT AUTHORITY\SYSTEM
S-1-5-19 - [WellKnownGroup]: NT AUTHORITY\LOCAL SERVICE
S-1-5-20 - [WellKnownGroup]: NT AUTHORITY\NETWORK SERVICE
S-1-5-32 - [Domain]: BUILTIN\BUILTIN
---
S-1-5-32-544 - [Alias]: BUILTIN\Administrators
S-1-5-32-545 - [Alias]: BUILTIN\Users
S-1-5-32-546 - [Alias]: BUILTIN\Guests
S-1-5-32-547 - [Alias]: BUILTIN\Power Users
S-1-5-32-551 - [Alias]: BUILTIN\Backup Operators
S-1-5-32-552 - [Alias]: BUILTIN\Replicator
S-1-5-32-555 - [Alias]: BUILTIN\Remote Desktop Users
S-1-5-32-556 - [Alias]: BUILTIN\Network Configuration Operators
---
The Command Completed Successfully.
F:\Dev\cpp\SidToName>
Ex2:
F:\Dev\cpp\SidToName>getsids.pl S-1-5-21-1275210071-789336058-1957994488 500
1108
GetSids V01.00.00pl Joe Richards ([EMAIL PROTECTED]) December 2003
S-1-5-1 - [WellKnownGroup]: NT AUTHORITY\DIALUP
S-1-5-2 - [WellKnownGroup]: NT AUTHORITY\NETWORK
S-1-5-3 - [WellKnownGroup]: NT AUTHORITY\BATCH
S-1-5-4 - [WellKnownGroup]: NT AUTHORITY\INTERACTIVE
S-1-5-6 - [WellKnownGroup]: NT AUTHORITY\SERVICE
S-1-5-7 - [WellKnownGroup]: NT AUTHORITY\ANONYMOUS LOGON
S-1-5-8 - [WellKnownGroup]: NT AUTHORITY\PROXY
S-1-5-9 - [WellKnownGroup]: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
S-1-5-10 - [WellKnownGroup]: NT AUTHORITY\SELF
S-1-5-11 - [WellKnownGroup]: NT AUTHORITY\Authenticated Users
S-1-5-12 - [WellKnownGroup]: NT AUTHORITY\RESTRICTED
S-1-5-13 - [WellKnownGroup]: NT AUTHORITY\TERMINAL SERVER USER
S-1-5-14 - [WellKnownGroup]: NT AUTHORITY\REMOTE INTERACTIVE LOGON
S-1-5-18 - [WellKnownGroup]: NT AUTHORITY\SYSTEM
S-1-5-19 - [WellKnownGroup]: NT AUTHORITY\LOCAL SERVICE
S-1-5-20 - [WellKnownGroup]: NT AUTHORITY\NETWORK SERVICE
S-1-5-32 - [Domain]: BUILTIN\BUILTIN
---
S-1-5-32-544 - [Alias]: BUILTIN\Administrators
S-1-5-32-545 - [Alias]: BUILTIN\Users
S-1-5-32-546 - [Alias]: BUILTIN\Guests
S-1-5-32-547 - [Alias]: BUILTIN\Power Users
S-1-5-32-551 - [Alias]: BUILTIN\Backup Operators
S-1-5-32-552 - [Alias]: BUILTIN\Replicator
S-1-5-32-555 - [Alias]: BUILTIN\Remote Desktop Users
S-1-5-32-556 - [Alias]: BUILTIN\Network Configuration Operators
---
S-1-5-21-1275210071-789336058-1957994488-500 - [User]: JOEHOME\Administrator
S-1-5-21-1275210071-789336058-1957994488-501 - [User]: JOEHOME\Guest
S-1-5-21-1275210071-789336058-1957994488-502 - [User]: JOEHOME\krbtgt
S-1-5-21-1275210071-789336058-1957994488-512 - [Group]: JOEHOME\Domain
Admins
S-1-5-21-1275210071-789336058-1957994488-513 - [Group]: JOEHOME\Domain Users
S-1-5-21-1275210071-789336058-1957994488-514 - [Group]: JOEHOME\Domain
Guests
S-1-5-21-1275210071-789336058-1957994488-515 - [Group]: JOEHOME\Domain
Computers
S-1-5-21-1275210071-789336058-1957994488-516 - [Group]: JOEHOME\Domain
Controllers
S-1-5-21-1275210071-789336058-1957994488-517 - [Group]: JOEHOME\Cert
Publishers
S-1-5-21-1275210071-789336058-1957994488-518 - [Group]: JOEHOME\Schema
Admins
S-1-5-21-1275210071-789336058-1957994488-519 - [Group]: JOEHOME\Enterprise
Admins
S-1-5-21-1275210071-789336058-1957994488-520 - [Group]: JOEHOME\Group Policy
Creator Owners
S-1-5-21-1275210071-789336058-1957994488-553 - [Alias]: JOEHOME\RAS and IAS
Servers
S-1-5-21-1275210071-789336058-1957994488-1000 - [User]:
JOEHOME\TsInternetUser
S-1-5-21-1275210071-789336058-1957994488-1001 - [User]:
JOEHOME\IUSR_W2KASDC1
S-1-5-21-1275210071-789336058-1957994488-1002 - [User]:
JOEHOME\IWAM_W2KASDC1
S-1-5-21-1275210071-789336058-1957994488-1003 - [Alias]: JOEHOME\DHCP Users
S-1-5-21-1275210071-789336058-1957994488-1004 - [Alias]: JOEHOME\DHCP
Administrators
S-1-5-21-1275210071-789336058-1957994488-1005 - [Alias]: JOEHOME\WINS Users
S-1-5-21-1275210071-789336058-1957994488-1006 - [User]: JOEHOME\W2KASDC1$
S-1-5-21-1275210071-789336058-1957994488-1107 - [Alias]: JOEHOME\DnsAdmins
S-1-5-21-1275210071-789336058-1957994488-1108 - [Group]:
JOEHOME\DnsUpdateProxy
---
The Command Completed Successfully.
F:\Dev\cpp\SidToName>
If you got this far down.... Happy New Year! :o)
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, December 31, 2003 8:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Administrators group
Irwan,
Interestingly, I'm surprised that this worked under Windows 2000 for you, as
I can't duplicate it here (nor did I expect to be able to...). The builtin
Administrators group is a special group and is specifically for the purposes
of use on domain controllers, and is a shared group that would be the same
as the groups that you would find on a stand-alone system. Primary
difference - there is no administrator or administrators group (as well as
others in that builtin container) on the DC. They are created and
maintained through AD, which is replicated to all DCs, thereby emulating the
behavior of having the users and groups on each DC.
The same effect as what you are looking for can be achieved using
DOMAIN\Domain Admins. The groups in the users container are there for the
purposes of managing and assigning rights and permissions out of the box -
obviously, until you can design and implement your own group strategy.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
Sent: Wednesday, December 31, 2003 5:06 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Administrators group
I just upgraded all of my domain controllers (2 of them) from Windows 2000
to Windows 2003. The domain itself is still in Windows 2000 native mode.
I just noticed one thing, where, supposed I want to share a folder, and
among the groups that I want to share this folder to is the built-in
administrators group for the domain (DOMAIN\administrators).
I noticed that I can't do that anymore on the member servers that run
2003 because in
sharing permissions, when I typed 'administrators' (without quotation mark),
and then clicked on 'check names', it says "An Object named Administrators
can not be found, check the selected object......", but I could still do
that on the domain controllers.
I'm just curious is this a new behavior in Windows 2003 member servers, or
am I missing something here. Not being able to set permission for
DOMAIN\administrators group in sharing the folder is not a big problem for
me, because in fact only my username resides in the DOMAIN\administrators
group besides of course the default users -> DOMAIN\administrator, Domain
Admins, Enterprise Admins.
I needed to do that, because it would make it easier back then with Windows
2000 in managing the default security permission on the computers' partition
(I just removed 'everyone' group, add SYSTEM, COMPUTER\administrators, and
DOMAIN\administrators). For the owner of that computer, I just add his
DOMAIN\username to the local COMPUTER\administrators group.
Thanks
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
