> Also, something I have not noticed before : looking at the attributes > of a DC's computer account via LDP, "Domain Controllers" is not listed > in memberOf. Is that expected behaviour and if so why?
Yes because it's the primaryGroup and that's stored separately (everything in memberOf is linked to the group). You'll see the same for Domain computers, Domain Users, etc. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Ali Cain > Sent: Tuesday, May 02, 2006 5:35 PM > To: [email protected] > Subject: [ActiveDir] GPResult incorrectly reporting DC's security > groups? > > I am currently looking at a forest which had some issues after > DCPromo'ing some of the DCs, most of the problems appear to be > resolved. > > However, a few of the DCs (Windows 2003 SP1) have a rather odd entry in > GPResult (and GPMC) output : > > The computer is a part of the following security groups > ------------------------------------------------------- > BUILTIN\Administrators > Everyone > BUILTIN\Users > NT AUTHORITY\NETWORK > NT AUTHORITY\Authenticated Users > This Organization > <computeraccountname>$ > Domain Computers > > So it is reporting to be a member of Domain Computers, when it should > not be. > > More concerning is that it is not reporting as being a member of the > following groups : > BUILTIN\Pre-Windows 2000 Compatible Access > Windows Authorization Access Group > Domain Controllers > NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS > > Via Active Directory Users and Computers, group membership appears > correct. > > Looking at the attributes of the DC's computer account, it can be seen > that the "primaryGroupID" is 516 (Domain Controllers). > > I have had a good look over the DC and can not see sign of any other > problems and the DC is being used by clients without issues. > > Does anyone have any suggestions as to why the group membership appears > incorrect? Or how else to interrogate the computer's token? > > > Also, something I have not noticed before : looking at the attributes > of a DC's computer account via LDP, "Domain Controllers" is not listed > in memberOf. Is that expected behaviour and if so why? > > Many thanks, > Ali. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail- > archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
