partial and full SIDs in gpo's?

  • Thread starter Thread starter djc
  • Start date Start date
D

djc

windows 2000 sp4 (native mode domain - 2 domain controllers)

I was browsing the user rights assignments section of the GPO assigned to
the Domain Controllers OU and noticed several items with SIDs and/or partial
SIDs instead of user/group names listed? Here is an example of what I mean
by a partial SID: *S-1-5-32-549 (taken from user right to change the time)

The SID info are not the only items listed. There are readable user/group
names also. Whats with the SID info? Can I remove them?
 
djc said:
windows 2000 sp4 (native mode domain - 2 domain controllers)

I was browsing the user rights assignments section of the GPO assigned to
the Domain Controllers OU and noticed several items with SIDs and/or
partial
SIDs instead of user/group names listed? Here is an example of what I mean
by a partial SID: *S-1-5-32-549 (taken from user right to change the time)

The SID info are not the only items listed. There are readable user/group
names also. Whats with the SID info? Can I remove them?
Click to expand...

Usually but don't be quick about it until you do some checking.

Usually these are due to older and now missing trusted domains.
(On workstations/servers, i.e., non-DCs, this can also be due to
having left a domain for another domain or workgroup.)

Were the names from the current domain then they SHOULD be
resolvable to the display name, so generally this is due to names
from OTHER "account domains".
 
That is a full SID, it is the SID for Server Operators.

SIDS can take several different formats. After the S-1 it can look very
different based on the type of SID (for Windows or for ADAM or for a Domain
principal or a builtin, etc) so you can't make any judgements on what is or
isn't valid without trying to have the system resolve them.

I wouldn't touch anything in the GPOs unless you know what you are doing and
unfortunately, I don't think you are there yet.

Note that only DCs will be able to resolve the Server Op SID because members
don't know about that group.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
see inline.

Joe Richards said:
That is a full SID, it is the SID for Server Operators.

SIDS can take several different formats. After the S-1 it can look very
different based on the type of SID (for Windows or for ADAM or for a Domain
principal or a builtin, etc) so you can't make any judgements on what is or
isn't valid without trying to have the system resolve them.

I wouldn't touch anything in the GPOs unless you know what you are doing and
unfortunately, I don't think you are there yet.
Click to expand...

gee thanks. I appreciate that. hehe. Sound advice though.
Note that only DCs will be able to resolve the Server Op SID because members
don't know about that group.
Click to expand...

you said:
"Note that only DCs will be able to resolve the Server Op SID because
members
don't know about that group."

That was it 100%. I was using the AD mmc snapin on a workstation. When
viewing the same GPO from a domain controller all the SIDs resolved fine. I
was not aware that would happen. I realize that that account only resides on
domain controllers but I assumed that since I was running the ADUC mmc as a
domain administrator that I would have access to the directory to resolve
those SIDs.

thanks for the info.
 
If the tool was written properly it would work, unfortunately what it does is
resolve SIDs locally even though it is to change info on a remote system.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top