Wrong NTFS-Permissions after dcpromo

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: anonymous <u-know-me@xxxxxxx>
Date: Thu, 01 Nov 2007 02:16:31 -0700

Hello group,

I just remarked that on my DC the NTFS-permissions of the default
Windows-folders (e.g. C:\WINDOWS, C:\Program Files, etc.) do not
contain the group "server-operators" but instead they contain the SID
"S-1-5-32-547".

Probably this happened some time ago when I used DCPROMO to upgrade
the server to the first DC in the forrest. Now, unfortunately there
are to many implementations on this machine to just downgrade the
server and run dcpromo again.

I am not confident in just applying the security-template "DC
Security.inf" again because some technet article states that
permissions for recently added files, registry-keys and systemservices
wil be overwritten.

I am furthermore aware that the tool subinacl can for example
substitute old SIDs with new ones
Could this be a posibility in that case?
Or to say in in other words: is dcpromo - when it runns correctly -
exactly substituting the SID of the power users group
( "S-1-5-32-547" ) with the one of the server operators group in ech
subfolder everywhere in der filesystem?

Any help would be appreciated,
Sincerely
Marco

.

Follow-Ups:
- Re: Wrong NTFS-Permissions after dcpromo
  - From: Paul Bergson [MVP-DS]

Prev by Date: RE: New Acquisition
Next by Date: Re: FQDN unreachable
Previous by thread: RE: New Acquisition
Next by thread: Re: Wrong NTFS-Permissions after dcpromo
Index(es):
- Date
- Thread

Relevant Pages

Re: Setup Backup Server
... The sid is user specific and is part of the directory. ... dcpromo it as a new DC pretty easily. ... One other thing, what happens with the SID on the second server, does it ... How can I change the license on the second server? ...
(microsoft.public.windows.server.active_directory)
Re: Wrong NTFS-Permissions after dcpromo
... use the old deprecated groups anyway (Server Operators, Power Users, ... contain the group "server-operators" but instead they contain the SID ... Or to say in in other words: is dcpromo - when it runns correctly - ... exactly substituting the SID of the power users group ...
(microsoft.public.windows.server.active_directory)
=?Utf-8?Q?Re:_Nach_Neuinstallation_k=C3=B6nnen_?= =?Utf-8?Q?verkn=C3=BCpfte_Kontakte_nicht_g
... Windows-Umgebung hat also auch immer eine eindeutige SID und wird dadurch ... Wenn nun auf dem Server sich ... einer alten SID mit Berechtigungen versehen wurde, ... "Sie haben wahrscheinlich versucht, den Kalender eines Benutzers ...
(microsoft.public.de.outlook)
Re: Two different domains with same name - Problems?
... and yes, at this level (SID) the domains are distinct, however TTBOMK domain discovery happens by name so the 'foreign' PCs will _attempt_ to log onto the domain, causing more grief than I can imagine. ... Initial connections from Fred are parsed to get the domain/user SIDs and fail to match so fallback to PTA, at this time Fred@Domain1 will cause Fred@Domain2's account to be locked out due to auth failure. ... Windows Small Business Server 2008 Unleashed ...
(microsoft.public.windows.server.sbs)
Re: AD issue with DC after Server was stolen
... > The new DC has a different SID. ... > give it a new name and then dcpromo it back in. ... >>that because the old stolen server wasn't removed from AD ... >>with DCPROMO and me adding an identical replacement ...
(microsoft.public.win2000.active_directory)