Neil,
You responded to the thread where Steve already corrected himself. Read the doc
you cited again. Only the EDC membership changes during the process you
described. EDC itself is NOT created at this point. It is merely made a member
of the newly-created "Windows Authorization Access" group.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: [EMAIL PROTECTED]
Sent: Wed 11/22/2006 1:32 AM
To: [email protected]
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
I believe SteveL may have already suggested that this group is only
available post w2k, and only after the PDC in the domain has been
upgraded. Further info here:
http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0
5-b919-c9311bafae351033.mspx?mfr=true
neil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 22 November 2006 05:36
To: [email protected]
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there,
I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.
Cheers everyone for your assistance... ;-)
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
|---------+---------------------------------->
| | |
| | |
| | |
| | Steve Linehan |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 22/11/2006 03:33 p.m. |
| | Please respond to |
| | ActiveDir |
| | |
|---------+---------------------------------->
>-----------------------------------------------------------------------
---------------------------------------|
|
|
| To: "[email protected]"
<[email protected]> |
| cc:
|
| Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing... |
>-----------------------------------------------------------------------
---------------------------------------|
Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade. You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.
Thanks,
-Steve
________________________________________
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: [email protected]
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...
You have to upgrade or install one of the servers in each domain to
Windows Server 2003 and then transfer the PDC Emulator role to the
upgraded or added Windows Server 2003 box. When a Windows Server 2003
box takes over the PDC Emulator FSMO role it will create these new
security principals.
This is documented under the section titled "Windows Server 2003 Well
Known Security Principals" in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed
b-a2f4-d5794d31c2a71033.mspx
.
Thanks,
-Steve
________________________________________
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: [email protected]
Subject: [ActiveDir] Enterprise Domain Controllers group missing...
- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.
- We now receive the following error when trying to access group
policies, "The Enterprise Domain Controllers group does not have read
access to this GPO. The Enterprise Domain Controllers group must have
read access on all GPO's in the domain in order for Group Policy
Modelling to function properly. To learn more about this issue and how
you can correct it, click Help.".
- I can confirm we do not have an "Enterprise Domain Controllers" group
in any of the domains.
- I have found the following article "
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4be
e-84c9-1994921658cd1033.mspx?mfr=true
" which shows how to fix the GPO issue using
"GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the
group "Enterprise Domain Controllers" available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create
a new group.
- Does anyone have any idea how the group "Enterprise Domain
Controllers"
can be recreated with the correct SID of S-1-5-9 so that we can run the
script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem?
Thanks in advance,
Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs
Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/
