Hi Sakari, I assume you searched all possible containers and OUs for the groups. You say access is still possible through the groups, so IMHO they MUST still exist somehow/somewhere. If you login at a client using a user account that is member of missing groups and then use WHOAMI or SECTOK from joeware to see what the group memberships are. You could then query AD for the location of the groups using a script I created a long time ago (that checks if security principals exist in a certain domain and if they do what the parent location is including LDAP path - -output is to excel sheet) Could that be a solution? Cheers Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Sakari Kouti Sent: Fri 9/9/2005 3:19 PM To: [email protected] Subject: [ActiveDir] Create a group with a specified SID Hi All, Is there a tool that would create a group and allows you to specify the SID for the group? The domain part of the SID would match the domain, so actually only the RID would need to be specified. A short background: I was told about a case, where an NT domain was in-place upgraded to WS2003. During the upgrade, 75 % of the global groups disappeared. Unfortunately, this was noticed only a couple of weeks later, so it would be quite impossible to do the upgrade again from the roll-back BDC. Also, re-ACLing those groups with SubInACL in 50 servers would be quite laborous. An interesting side-note: The missing groups don't show in ADUC, NT User Manager, or an NTDS dump in any of the DCs, so you obviously cannot add any new members in them. On the other hand, they still continue to work, so that the old members can access resources based on these missing groups. I wonder where they could be cached, and how to track them. Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<inline: winmail.dat>>
