Re: Domain-wide Print Operators Group - not working?

> In native mode(s) Domain Local Groups are available throughout the
> domain, on all servers and workstations.

This statement is correct but it has no bearing on this question.

Print Operators is a builtin group, not a domain local group. It has a SID (S-1-5-32-550) that has no Domain Affinity. What this means is that if a machine has to resolve the SID it will resolve it to the local machine. For example, if you had D1 and D2 and a machine trusted both and you were able to actually add Print Operators from one of those domains, the machine wouldn't be able to ascertain which domain the security principal was from so in effect it either has to ignore domains or it has to say that any domain builtin SID it has to honor. Obviously the latter would be a huge security hole since it would be in effect for ANY trusted domain.

As Paul indicated, it is just one more reason not to use the builtin groups. Create and delegate groups for your purposes.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Herb Martin wrote:
"Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx> wrote in message news:C4831EB6-6542-4F32-BF54-590D11688623@xxxxxxxxxxxxxxxx
That may be by design:
-- http://technet2.microsoft.com/WindowsServer/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx?mfr=true


I can't remember, as it's not recommended that the built in groups be used.

Does this help?
-- http://support.microsoft.com/kb/259574


Obviously, a lot of this depends on where the printers are. Print Operators is a local group, which means if you add someone to the domain group, it only applies to domain controllers. You need to use the local group for member servers.

How have you configured this so far? And what are you expecting?

In native mode(s) Domain Local Groups are available throughout the
domain, on all servers and workstations.

.

Relevant Pages

  • Re: Template Build Shows SID, Not Name
    ... When you create a local group it is assigned a sid specific to that machine and other ... > the server where I am going to apply the template I have found that after I ... > servers and not see the SID but the actual account? ...
    (microsoft.public.win2000.security)
  • Re: Is it possible to audit Domain Global Group in AD?
    ... All that's required to add to the local group is admin privs on (could be ... QAs building new servers as member of the Domain and add the Global Domain ... They setup bunch of Windows servers and add our Domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: delegation of printer administration...
    ... the impression that Print Operator only covered print servers and printers ... and not all printers on all servers in the domain. ... > a local group on the member servers, and give that group full control ...
    (microsoft.public.windows.server.active_directory)
  • Group Policy
    ... I upgraded my 8 servers from NT4 ... >I am running Windows XP professional and am attempting ... >configure local group policies as we have an NT4 domain ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Win2K cant see domain local group of a NT 4 pdc
    ... I have a NT 4 domain "mydomain". ... NT4/2000/2003 servers, which are member servers of "mydomain" (so the same ... I should be able to give access to "myLocalGroup" ... They just can't see the domain local group "myLocalGroup". ...
    (microsoft.public.windows.server.security)