That is odd. Here is what one of my DCs shows BUILTIN\Administrators Everyone BUILTIN\Users Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization ServerName$ Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
The first thing I would do is look at that DC directly to make sure it has all the proper values on itself. If it does, then I would use gpresult and ethereal and get a trace just to make sure that it is using the info on the local machine. You can even set up the gateway values so that you could see the traffic locally but mostly you just want to see if the queries are going off the box and you don't need to change any IP config to capture that, just watch the traffic for all LDAP packets. If it is going off the box for the info, go look at the DC it is querying and find out what is dorked up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain Sent: Tuesday, May 02, 2006 5:35 PM To: [email protected] Subject: [ActiveDir] GPResult incorrectly reporting DC's security groups? I am currently looking at a forest which had some issues after DCPromo'ing some of the DCs, most of the problems appear to be resolved. However, a few of the DCs (Windows 2003 SP1) have a rather odd entry in GPResult (and GPMC) output : The computer is a part of the following security groups ------------------------------------------------------- BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization <computeraccountname>$ Domain Computers So it is reporting to be a member of Domain Computers, when it should not be. More concerning is that it is not reporting as being a member of the following groups : BUILTIN\Pre-Windows 2000 Compatible Access Windows Authorization Access Group Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Via Active Directory Users and Computers, group membership appears correct. Looking at the attributes of the DC's computer account, it can be seen that the "primaryGroupID" is 516 (Domain Controllers). I have had a good look over the DC and can not see sign of any other problems and the DC is being used by clients without issues. Does anyone have any suggestions as to why the group membership appears incorrect? Or how else to interrogate the computer's token? Also, something I have not noticed before : looking at the attributes of a DC's computer account via LDP, "Domain Controllers" is not listed in memberOf. Is that expected behaviour and if so why? Many thanks, Ali. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
