Built-in accounts?

[William Stokes]

Hello,

Does it matter where the Windows 2000 server built-in accounts and Groups
are located in Active Directory users and computers? I mean some are located
in the Builtin folder and some are in Users folder by default. Can I move
all builtin accounts and Groups to the Builtin folder? I haven't made any
changes to these folders permissions. I Have added domain members to some
of the groups.

Thanks
-Will

 

[chriss3 [MVP]]

Yes in some cases this actually matters, the users and built-in containers
are containers and OUs instead because of support for legacy NT 4.0 API
Support, as well applications that rely on the DN of built-in objects.

 

[Paul Williams [MVP]]

The only built-in security principals are those in the CN=Builtin container.
Things like Domain Admins, Administrator, etc. are not built-in security
principals. They are standard security principals with well-known RIDs.
Builtin principals don't have a domain-specific SID. They are domain/
workstation in-specific. Their SID is the same on any Windows NT x.x member
or domain.

You should leave the builtin objects where they are, and you should leave
things like Domain Admins, Administrator, etc. in the CN=Users folder, as
there are many application that have these object's DNs hard-coded in their
code. I won't go into the fact that this is bad programming practice. That
is the way it is.

 

[Paul Bergson]

If I remember right, if you move the Exchange admin groups, Exchange breaks.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.