To further clarify Joe's point; the subset of foreignSecurityPrincipals within the domain NC under the ForeignSecurityPrincipals container (many [or all] of which will be well-known security principals) are present there because of a relationship with another object within that partition.
The foreignSecurityPrincipals within the config. NC serve as a template and represent the well-known security principals listed by the object picker when, for example, editing an ACL (do not test this by deleting one, unless it's a sandpit, since recreating them can be problematic). As a general rule of thumb, and as far as I can recollect, foreign security principals are created to represent any security principal that cannot be resolved by a forest-local GC, e.g. users from a foreign forest's domain or well-known security principals ... <teasing> and are necessary because of the archaic underlying database engine we continue to insist on using :o) </teasing>. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 24, 2005 9:01 AM To: [email protected] Subject: RE: [ActiveDir] Enterprise Domain Controllers It isn't an actual group. It is a Well-Known security principal (SID=S-1-5-9) like Authenticated Users or Everyone or Terminal Server User. You don't have the ability to look at the membership, let alone modify it. When a token for a domain controller is built, the SID is simply added to it. It is represented in the directory as a foreignSecurityPrincipal so it can be added to groups and ACEs like Everyone is. As Tom indicated, it is maintained in the Wellknown Security Principals container of the configuration partition with other Well Known Security Principals. Here is a quick listing of all the FSPs listed in that container Anonymous Logon Authenticated Users Batch Creator Group Creator Owner Dialup Digest Authentication Enterprise Domain Controllers Everyone Interactive Local Service Network Network Service NTLM Authentication Other Organization Proxy Remote Interactive Logon Restricted SChannel Authentication Self Service Terminal Server User This Organization Well-Known-Security-Id-System WellKnown Security Principals joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Wednesday, August 24, 2005 5:17 AM To: [email protected] Subject: [ActiveDir] Enterprise Domain Controllers Hey All, Can anyone tell me where this group is stored? It isn't in the directory, and it isn't a local group...any ideas on how to check it's membership list is correct? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
