Re: Group Domain Admins cannot be found

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: SteveB <SteveB.3pczzc@xxxxxxxxxxxxx>
Date: Fri, 20 Mar 2009 23:40:36 +0530

thanks for the prompt reply Craig.

The group was a global group. Yes, I did try the Advanced Find as well

Changing the Domain Functional level (mode) appears to have fixed my
problem, it appears that global security groups are considered as
Universal Security groups when it comes to the restriction.

I think the reasoning is:

In Windows 2000 Mixed mode (the default mode on install) Universal
groups (includes Global??) are only enabled for distribution groups, it
is disabled for Security groups.

Changing mode to Windows 2000 Native mode enables Universal groups for
security groups too.

There are a couple of other differences as well.

It has certainly enabled me to add the group!

It seems whoever installed the AD just accepted the defaults even
though there were no NT machines. I do have W2k servers as well as w2k3
so I have not raised the level to Windows 2003 interim or native mode
yet.

Wonder what happens when I introduce a couple of 2008 servers ;)

Steve B

--
SteveB
------------------------------------------------------------------------
SteveB's Profile: http://forums.techarena.in/members/61824.htm
View this thread: http://forums.techarena.in/active-directory/1144660.htm

http://forums.techarena.in

.

Follow-Ups:
- Re: Group Domain Admins cannot be found
  - From: Meinolf Weber [MVP-DS]

References:
- Group Domain Admins cannot be found
  - From: SteveB
- RE: Group Domain Admins cannot be found
  - From: Craig Dayton

Prev by Date: Re: GPO Version mismatch in Sysvol
Next by Date: Re: GPO Version mismatch in Sysvol
Previous by thread: RE: Group Domain Admins cannot be found
Next by thread: Re: Group Domain Admins cannot be found
Index(es):
- Date
- Thread

Relevant Pages

Re: Group Domain Admins cannot be found
... Universal Security groups when it comes to the restriction. ... In Windows 2000 Mixed mode Universal ... Changing mode to Windows 2000 Native mode enables Universal groups for ... Wonder what happens when I introduce a couple of 2008 servers;) ...
(microsoft.public.windows.server.active_directory)
Re: Windows Security Roles
... Does Windows 2000 Server support this as well? ... there are issues with using AzMan for this. ... It is useful to allow nested groups, and have a heirarchy of users, user ... We think that we are able to shift to only be using AD Security groups, ...
(microsoft.public.dotnet.security)
Re: Determine AD group membership
... Do not confuse this with the kerberos PAC, ... I pretty much agree with JoeK that if you alert the people using the software that these are the limitations (i.e. security groups within the scope of the user and the machine they are being used on) then you should be fine. ... If your app is one that will generate lots of groups and users could be in lots of groups either through nesting or directly and you are not using Windows Securityand Windows ACLs then you should not generally be using security enabled groups unless the company is otherwise using those groups for Windows Security. ...
(microsoft.public.platformsdk.security)
Re: Determine AD group membership
... Yep that is exactly what I was talking about but in addition to the security/distribution groups in the 3 scopes, ... If you know that you only care about Windows Security groups with scope local to the workstation involved, then using the local user token is completely fine. ... Joe Richards Microsoft MVP Windows Server Directory Services ...
(microsoft.public.platformsdk.security)
Re: distribution lists in w2k mixed mode
... The problem with moving to a Windows mixed mode environment is that the DLs ... In Windows 2000 and above only Security groups can be used for permissions. ... your logs indicating that you cannot upgrade the group to a security group. ...
(microsoft.public.exchange2000.setup.installation)