Thanks for the info. I'm not sure I'd agree that the groups are cached on the members, they're Global Groups whose SID is making it into the user's token (I'm assuming this is not occurring due to cached creds.). In addition, the SIDs are being resolved within the ACL editor, as such, it seems more likely to me that they do still exist in some way, shape or form on the DCs in the child domain. What attributes were you dumping? Is or has Universal group caching being or been used? Does the same result occur if the user's log on a workstation they've previously never visited (cached creds.)?
-- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Friday, September 09, 2005 11:45 AM To: [email protected] Subject: RE: [ActiveDir] Create a group with a specified SID Hi Jorge and Dean, Answers and more description: - I don't have personal access to the network in question, but I trust the guys over there to give me quite correct information. Of course, it's never the same as seeing yourself. - The NTDS dump I mentioned is by using the operational dumpDatabase attribute of RootDSE. - The missing groups are not visible with any of the following: - The previously mentioned NTDS dump - NET LOCALGROUP or NET GROUP - NT User Manager - ADSI Edit - ADUC search feature - The Member Of tab of a user in ADUC does not list the missing groups. - The old members of the groups can access the resources (even though they don't show in the Member Of tab). - In ACL Editor, the missing groups show as names, not SIDs - You can create a new group in NT User Manager with the same SAM name as the missing one. After that, it also shows in ADUC. And after that, the missing group shows as a SID in ACL Editor, and not by name anymore. - The forest has a root and three child domains, and this problem appears in one of the child domains. - The problem domain has 3 DCs. - The missing groups are global groups. - I have to ask them to check the WHOAMI/SECTOK thing. It seems that the groups are gone from the DCs but are still cached in the member servers. But its funny that this caching still applies after several weeks. But still the question remains how do the missing groups get in the users' access tokens. Because they cannot add users to the missing groups, they could create a new group for each missing group, which the suffix NEW, for example. And add all the correct users to these new groups (the member information is available). But those new groups would need to be added to all the resources in all the 50 member servers. They could also try the following: - perform the in-place upgrade again from the roll-back BDC to a new empty forest/domain - migrate (with ADMT) the groups in question to another empty forest/domain - then migrate (with ADMT) the groups in question to the current production domain (if ADMT allows this, and if the RIDs of the incoming missing groups are not already reused in the production domain Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
