Hi there, I read that in another article as well...
http://groups.google.co.nz/group/microsoft.public.windows.server.active_directory/browse_thread/thread/37eb3a91907d3f4e/4173fe072f7269b9?lnk=st&q=The+Enterprise+Domain+Controllers+group+does+not+have+read+access+to+this+GPO&rnum=2&hl=en#4173fe072f7269b9 ...but we have nothing under foreign security princpals which matches the SID we are after. Does anyone know how to create a group that uses a well known SID or how this group is created initially so we can repeat the process? Thanks, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |---------+----------------------------------> | | | | | | | | | | | "Susan Bradley, CPA aka| | | Ebitz - SBS Rocks | | | [MVP]" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 22/11/2006 03:16 p.m. | | | Please respond to | | | ActiveDir | | | | |---------+----------------------------------> >--------------------------------------------------------------------------------------------------------------| | | | To: [email protected] | | cc: | | Subject: Re: [ActiveDir] Enterprise Domain Controllers group missing... | >--------------------------------------------------------------------------------------------------------------| View Advanced Features Look in Foreign Security Principles that I recall? [EMAIL PROTECTED] wrote: > - We recently upgraded the schema in one forest from Windows 2000 to > Windows 2003. > > - We now receive the following error when trying to access group policies, > "The Enterprise Domain Controllers group does not have read access to this > GPO. The Enterprise Domain Controllers group must have read access on all > GPO's in the domain in order for Group Policy Modelling to function > properly. To learn more about this issue and how you can correct it, click > Help.". > > - I can confirm we do not have an "Enterprise Domain Controllers" group in > any of the domains. > > - I have found the following article " > http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true > " which shows how to fix the GPO issue using > "GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the > group "Enterprise Domain Controllers" available. From further reading I > see this group has a specific SID of S-1-5-9 so I can not simply create a > new group. > > - Does anyone have any idea how the group "Enterprise Domain Controllers" > can be recreated with the correct SID of S-1-5-9 so that we can run the > script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem? > > Thanks in advance, > > Matt Duguid > Systems Engineer for Identity Services > Department of Internal Affairs > > Phone: +64 4 4748028 (wellington) > Mobile: +64 21 1713290 > Fax: +64 4 4748894 > Address: Level 4, 47 Boulcott Street, Wellington CBD > E-mail: [EMAIL PROTECTED] > Web: http://www.dia.govt.nz/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/[email protected]/ > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
