After reading joe's description, which sounds accurate to a non-expert like myself, I am willing to raise my confidence in my answer from a measly 12% to a full 17%.
Well, I agree with most of what joe said, except for the part about not being able to "look" at the membership, you _sort of_ can as I alluded to in my mail, just not via the typical member attribute as joe was pointing out. Cheers, Brett On Wed, 24 Aug 2005, Dean Wells wrote: > > To further clarify Joe's point; the subset of foreignSecurityPrincipals > within the domain NC under the ForeignSecurityPrincipals container (many [or > all] of which will be well-known security principals) are present there > because of a relationship with another object within that partition. > > The foreignSecurityPrincipals within the config. NC serve as a template and > represent the well-known security principals listed by the object picker > when, for example, editing an ACL (do not test this by deleting one, unless > it's a sandpit, since recreating them can be problematic). > > As a general rule of thumb, and as far as I can recollect, foreign security > principals are created to represent any security principal that cannot be > resolved by a forest-local GC, e.g. users from a foreign forest's domain or > well-known security principals ... <teasing> and are necessary because of > the archaic underlying database engine we continue to insist on using :o) > </teasing>. > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Wednesday, August 24, 2005 9:01 AM > To: [email protected] > Subject: RE: [ActiveDir] Enterprise Domain Controllers > > It isn't an actual group. > > It is a Well-Known security principal (SID=S-1-5-9) like Authenticated Users > or Everyone or Terminal Server User. You don't have the ability to look at > the membership, let alone modify it. When a token for a domain controller is > built, the SID is simply added to it. > > It is represented in the directory as a foreignSecurityPrincipal so it can > be added to groups and ACEs like Everyone is. As Tom indicated, it is > maintained in the Wellknown Security Principals container of the > configuration partition with other Well Known Security Principals. > > Here is a quick listing of all the FSPs listed in that container > > Anonymous Logon > Authenticated Users > Batch > Creator Group > Creator Owner > Dialup > Digest Authentication > Enterprise Domain Controllers > Everyone > Interactive > Local Service > Network > Network Service > NTLM Authentication > Other Organization > Proxy > Remote Interactive Logon > Restricted > SChannel Authentication > Self > Service > Terminal Server User > This Organization > Well-Known-Security-Id-System > WellKnown Security Principals > > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad > Sent: Wednesday, August 24, 2005 5:17 AM > To: [email protected] > Subject: [ActiveDir] Enterprise Domain Controllers > > Hey All, > > Can anyone tell me where this group is stored? It isn't in the directory, > and it isn't a local group...any ideas on how to check it's membership list > is correct? > > TIA, > > > Brad > > > This email and any attached files are confidential and copyright protected. > If you are not the addressee, any dissemination of this communication is > strictly prohibited. Unless otherwise expressly agreed in writing, nothing > stated in this communication shall be legally binding. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
