As Steve mentioned it is for the Trust Selective Authentication stuff. You
may have noticed this and Other Organization security principals in your
Forest after you did your Windows Server 2003 ForestPrep. If not, go peek at
your defined WellKnown Security Principals container in the config...
dn:CN=This Organization,CN=WellKnown Security
Principals,CN=Configuration,DC=joeware,DC=local
>objectClass: top
>objectClass: foreignSecurityPrincipal
>cn: This Organization
>distinguishedName: CN=This Organization,CN=WellKnown Security
Principals,CN=Configuration,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20050424170716.0Z
>whenChanged: 20050424170716.0Z
>uSNCreated: 12314
>uSNChanged: 12314
>showInAdvancedViewOnly: TRUE
>name: This Organization
>objectGUID: {EA66BC8D-F614-4906-8E20-F17A7967D58F}
>objectSid: S-1-5-15
>objectCategory:
CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=joeware,DC=local
dn:CN=Other Organization,CN=WellKnown Security
Principals,CN=Configuration,DC=joeware,DC=local
>objectClass: top
>objectClass: foreignSecurityPrincipal
>cn: Other Organization
>distinguishedName: CN=Other Organization,CN=WellKnown Security
Principals,CN=Configuration,DC=joeware,DC=local
>instanceType: 4
>whenCreated: 20050424170716.0Z
>whenChanged: 20050424170716.0Z
>uSNCreated: 12315
>uSNChanged: 12315
>showInAdvancedViewOnly: TRUE
>name: Other Organization
>objectGUID: {8C59DDCA-99DC-4548-A1CE-20A02D906B78}
>objectSid: S-1-5-1000
>objectCategory:
CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=joeware,DC=local
For some very light programmatic info regarding your favorite framework on
it check out
http://msdn2.microsoft.com/en-US/library/ms180941.aspx
and
http://msdn2.microsoft.com/en-US/library/system.directoryservices.activedire
ctory.forest.getselectiveauthenticationstatus.aspx
I don't ever recall seeing anything that mentions it in the Win32 API though
the NET stuff is thunking down to the real API at some point. NET doesn't
actually do anything itself. ;o)
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 04, 2006 10:02 PM
To: [email protected]
Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security
groups?
Have you any idea what the this organization thing is? I noticed that when I
went and did gpresult on one of mine in reference to this thread.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, May 04, 2006 9:47 PM
> To: [email protected]
> Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security
> groups?
>
> That is odd. Here is what one of my DCs shows
>
> BUILTIN\Administrators
> Everyone
> BUILTIN\Users
> Windows Authorization Access Group
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
> This Organization
> ServerName$
> Domain Controllers
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>
>
> The first thing I would do is look at that DC directly to make sure it
> has all the proper values on itself. If it does, then I would use
> gpresult and ethereal and get a trace just to make sure that it is
> using the info on the local machine. You can even set up the gateway
> values so that you could see the traffic locally but mostly you just
> want to see if the queries are going off the box and you don't need to
> change any IP config to capture that, just watch the traffic for all
> LDAP packets. If it is going off the box for the info, go look at the
> DC it is querying and find out what is dorked up.
>
> joe
>
>
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain
> Sent: Tuesday, May 02, 2006 5:35 PM
> To: [email protected]
> Subject: [ActiveDir] GPResult incorrectly reporting DC's security
> groups?
>
> I am currently looking at a forest which had some issues after
> DCPromo'ing some of the DCs, most of the problems appear to be
> resolved.
>
> However, a few of the DCs (Windows 2003 SP1) have a rather odd entry
in
> GPResult (and GPMC) output :
>
> The computer is a part of the following security groups
> -------------------------------------------------------
> BUILTIN\Administrators
> Everyone
> BUILTIN\Users
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
> This Organization
> <computeraccountname>$
> Domain Computers
>
> So it is reporting to be a member of Domain Computers, when it should
> not be.
>
> More concerning is that it is not reporting as being a member of the
> following groups :
> BUILTIN\Pre-Windows 2000 Compatible Access
> Windows Authorization Access Group
> Domain Controllers
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>
> Via Active Directory Users and Computers, group membership appears
> correct.
>
> Looking at the attributes of the DC's computer account, it can be seen
> that the "primaryGroupID" is 516 (Domain Controllers).
>
> I have had a good look over the DC and can not see sign of any other
> problems and the DC is being used by clients without issues.
>
> Does anyone have any suggestions as to why the group membership
appears
> incorrect? Or how else to interrogate the computer's token?
>
>
> Also, something I have not noticed before : looking at the attributes
> of a DC's computer account via LDP, "Domain Controllers" is not listed
> in memberOf. Is that expected behaviour and if so why?
>
> Many thanks,
> Ali.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
