I am currently looking at a forest which had some issues after
DCPromo'ing some of the DCs, most of the problems appear to be
resolved.
However, a few of the DCs (Windows 2003 SP1) have a rather odd entry
in GPResult (and GPMC) output :
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
<computeraccountname>$
Domain Computers
So it is reporting to be a member of Domain Computers, when it should not be.
More concerning is that it is not reporting as being a member of the
following groups :
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Via Active Directory Users and Computers, group membership appears correct.
Looking at the attributes of the DC's computer account, it can be seen
that the "primaryGroupID" is 516 (Domain Controllers).
I have had a good look over the DC and can not see sign of any other
problems and the DC is being used by clients without issues.
Does anyone have any suggestions as to why the group membership
appears incorrect? Or how else to interrogate the computer's token?
Also, something I have not noticed before : looking at the attributes
of a DC's computer account via LDP, "Domain Controllers" is not listed
in memberOf. Is that expected behaviour and if so why?
Many thanks,
Ali.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
