Strange... Access is preserved and the ACL editor resolves the sids to names.... it may be stupid to mention, but are they sure these are global groups and not server local groups... that at least clearifies "not being visible in the domain" "not listed in the memberof" "listed/resolved in ACL editor". I don't wat to be rude... but in this case I would want to see this with my own eyes Cheers Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Sakari Kouti Sent: Fri 9/9/2005 5:45 PM To: [email protected] Subject: RE: [ActiveDir] Create a group with a specified SID Hi Jorge and Dean, Answers and more description: - I don't have personal access to the network in question, but I trust the guys over there to give me quite correct information. Of course, it's never the same as seeing yourself. - The NTDS dump I mentioned is by using the operational dumpDatabase attribute of RootDSE. - The missing groups are not visible with any of the following: - The previously mentioned NTDS dump - NET LOCALGROUP or NET GROUP - NT User Manager - ADSI Edit - ADUC search feature - The Member Of tab of a user in ADUC does not list the missing groups. - The old members of the groups can access the resources (even though they don't show in the Member Of tab). - In ACL Editor, the missing groups show as names, not SIDs - You can create a new group in NT User Manager with the same SAM name as the missing one. After that, it also shows in ADUC. And after that, the missing group shows as a SID in ACL Editor, and not by name anymore. - The forest has a root and three child domains, and this problem appears in one of the child domains. - The problem domain has 3 DCs. - The missing groups are global groups. - I have to ask them to check the WHOAMI/SECTOK thing. It seems that the groups are gone from the DCs but are still cached in the member servers. But its funny that this caching still applies after several weeks. But still the question remains how do the missing groups get in the users' access tokens. Because they cannot add users to the missing groups, they could create a new group for each missing group, which the suffix NEW, for example. And add all the correct users to these new groups (the member information is available). But those new groups would need to be added to all the resources in all the 50 member servers. They could also try the following: - perform the in-place upgrade again from the roll-back BDC to a new empty forest/domain - migrate (with ADMT) the groups in question to another empty forest/domain - then migrate (with ADMT) the groups in question to the current production domain (if ADMT allows this, and if the RIDs of the incoming missing groups are not already reused in the production domain Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<inline: winmail.dat>>
