Have you any idea what the this organization thing is? I noticed that when I went and did gpresult on one of mine in reference to this thread.
Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, May 04, 2006 9:47 PM > To: [email protected] > Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security > groups? > > That is odd. Here is what one of my DCs shows > > BUILTIN\Administrators > Everyone > BUILTIN\Users > Windows Authorization Access Group > NT AUTHORITY\NETWORK > NT AUTHORITY\Authenticated Users > This Organization > ServerName$ > Domain Controllers > NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS > > > The first thing I would do is look at that DC directly to make sure it > has all the proper values on itself. If it does, then I would use > gpresult and ethereal and get a trace just to make sure that it is > using the info on the local machine. You can even set up the gateway > values so that you could see the traffic locally but mostly you just > want to see if the queries are going off the box and you don't need to > change any IP config to capture that, just watch the traffic for all > LDAP packets. If it is going off the box for the info, go look at the > DC it is querying and find out what is dorked up. > > joe > > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain > Sent: Tuesday, May 02, 2006 5:35 PM > To: [email protected] > Subject: [ActiveDir] GPResult incorrectly reporting DC's security > groups? > > I am currently looking at a forest which had some issues after > DCPromo'ing some of the DCs, most of the problems appear to be > resolved. > > However, a few of the DCs (Windows 2003 SP1) have a rather odd entry in > GPResult (and GPMC) output : > > The computer is a part of the following security groups > ------------------------------------------------------- > BUILTIN\Administrators > Everyone > BUILTIN\Users > NT AUTHORITY\NETWORK > NT AUTHORITY\Authenticated Users > This Organization > <computeraccountname>$ > Domain Computers > > So it is reporting to be a member of Domain Computers, when it should > not be. > > More concerning is that it is not reporting as being a member of the > following groups : > BUILTIN\Pre-Windows 2000 Compatible Access > Windows Authorization Access Group > Domain Controllers > NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS > > Via Active Directory Users and Computers, group membership appears > correct. > > Looking at the attributes of the DC's computer account, it can be seen > that the "primaryGroupID" is 516 (Domain Controllers). > > I have had a good look over the DC and can not see sign of any other > problems and the DC is being used by clients without issues. > > Does anyone have any suggestions as to why the group membership appears > incorrect? Or how else to interrogate the computer's token? > > > Also, something I have not noticed before : looking at the attributes > of a DC's computer account via LDP, "Domain Controllers" is not listed > in memberOf. Is that expected behaviour and if so why? > > Many thanks, > Ali. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail- > archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail- > archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
