| Author | Messages | |
Shanzao
Posts:45
 | | 09/22/2010 3:32 PM |
| Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5A6A.F20A8500]
[cid:image002.jpg@01CB5A6A.F20A8500]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
</PRE>
<font face="Arial" size="1">
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
<p>
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
<p>
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
<p>
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
<p>
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
</font>
<PRE>
| | | |
| DarraghOShaughnessy
Posts:177
| | 09/22/2010 3:40 PM |
| i.e. when connected into GPMC and clicking Edit on the context menu, the
SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is
it a global catalogue?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management
domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved,
when looking at the accounts from within GPE, they are returned as SIDs has
anyone seen this before?
Thanks,
MESD Final Logo 50mm.tif
axadef2.bmp
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à
l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
| Shanzao
Posts:45
| | 09/22/2010 4:56 PM |
| That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5A76.C23BC990]
[cid:image002.jpg@01CB5A76.C23BC990]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 09/22/2010 5:51 PM |
| Its Darragh actually (Irish name!) :-)
What settings are you looking at in GPE specifically? GPMC caches scope and
delegation data as far as I remember. Are you running gpmc from a desktop
machine? Sometimes when SIDs wont resolve to names, it means trust has been
lost between the workstation and the domain or that those accounts have been
deleted from the domain hence the SID cannot be resolved
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thats correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking Edit on the context menu, the
SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is
it a global catalogue?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management
domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved,
when looking at the accounts from within GPE, they are returned as SIDs has
anyone seen this before?
Thanks,
MESD Final Logo 50mm.tif
axadef2.bmp
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à
l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
| dmarelia
Posts:441
| | 09/22/2010 5:54 PM |
| Yea, I was wondering how I had gotten onto the thread without contributing  .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!) 
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5A3B.CB2E98B0]
[cid:image002.jpg@01CB5A3B.CB2E98B0]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| Shanzao
Posts:45
| | 09/23/2010 9:32 AM |
| Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE? 
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5B01.67ABFA50]
[cid:image002.jpg@01CB5B01.67ABFA50]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 09/23/2010 9:34 AM |
| HI,
Which settings are they? Also, have you resolve them ok from the command
line using psgetsid.exe or the like?
Darragh (aka Darren) OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the
brain!!!
The security principles are in the resource domain (trusting), I set up the
trust both ways and slowly but surely the names started to resolve, not
going to be very good for my design though! I am going to have to install a
console in each of the five domains opposed to two consoles in the
Management Domain, think this must be a bug with the GPE code. If the
settings can be found via the delegation tab within the settings, then
surely this should also work within GPE? :-(
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing
.
Also, are the security principals that arent resolving in the management
domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!) :-)
What settings are you looking at in GPE specifically? GPMC caches scope and
delegation data as far as I remember. Are you running gpmc from a desktop
machine? Sometimes when SIDs wont resolve to names, it means trust has been
lost between the workstation and the domain or that those accounts have been
deleted from the domain hence the SID cannot be resolved
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thats correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking Edit on the context menu, the
SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is
it a global catalogue?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management
domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved,
when looking at the accounts from within GPE, they are returned as SIDs has
anyone seen this before?
Thanks,
MESD Final Logo 50mm.tif
axadef2.bmp
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à
l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
| Shanzao
Posts:45
| | 09/23/2010 9:42 AM |
| User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O
Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
Darragh (aka Darren) O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE?
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5B03.72113170]
[cid:image002.jpg@01CB5B03.72113170]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 09/23/2010 9:45 AM |
| Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain
controller?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O :-)
Anything with URA is showing as a SID, only the well known SIDS resolve,
psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command
line using psgetsid.exe or the like?
Darragh (aka Darren) OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the
brain!!!
The security principles are in the resource domain (trusting), I set up the
trust both ways and slowly but surely the names started to resolve, not
going to be very good for my design though! I am going to have to install a
console in each of the five domains opposed to two consoles in the
Management Domain, think this must be a bug with the GPE code. If the
settings can be found via the delegation tab within the settings, then
surely this should also work within GPE? :-(
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing
.
Also, are the security principals that arent resolving in the management
domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!) :-)
What settings are you looking at in GPE specifically? GPMC caches scope and
delegation data as far as I remember. Are you running gpmc from a desktop
machine? Sometimes when SIDs wont resolve to names, it means trust has been
lost between the workstation and the domain or that those accounts have been
deleted from the domain hence the SID cannot be resolved
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thats correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking Edit on the context menu, the
SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is
it a global catalogue?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management
domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved,
when looking at the accounts from within GPE, they are returned as SIDs has
anyone seen this before?
Thanks,
MESD Final Logo 50mm.tif
axadef2.bmp
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à
l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
| Shanzao
Posts:45
| | 09/23/2010 10:10 AM |
| Was not added, I have just added both Terminal Server and GPO MGMT group to no avail... not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain controller?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O
Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
Darragh (aka Darren) O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE?
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5B07.5B2410A0]
[cid:image002.jpg@01CB5B07.5B2410A0]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 09/23/2010 10:12 AM |
| So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to
no avail
not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain
controller?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O :-)
Anything with URA is showing as a SID, only the well known SIDS resolve,
psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command
line using psgetsid.exe or the like?
Darragh (aka Darren) OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the
brain!!!
The security principles are in the resource domain (trusting), I set up the
trust both ways and slowly but surely the names started to resolve, not
going to be very good for my design though! I am going to have to install a
console in each of the five domains opposed to two consoles in the
Management Domain, think this must be a bug with the GPE code. If the
settings can be found via the delegation tab within the settings, then
surely this should also work within GPE? :-(
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing
.
Also, are the security principals that arent resolving in the management
domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!) :-)
What settings are you looking at in GPE specifically? GPMC caches scope and
delegation data as far as I remember. Are you running gpmc from a desktop
machine? Sometimes when SIDs wont resolve to names, it means trust has been
lost between the workstation and the domain or that those accounts have been
deleted from the domain hence the SID cannot be resolved
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thats correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking Edit on the context menu, the
SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is
it a global catalogue?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management
domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved,
when looking at the accounts from within GPE, they are returned as SIDs has
anyone seen this before?
Thanks,
MESD Final Logo 50mm.tif
axadef2.bmp
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à
l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
| Shanzao
Posts:45
| | 09/23/2010 10:21 AM |
| It does this from W2K3 as well, but is definitely worth a try,
Will get back to you with some hopefully good news
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:14
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to no avail... not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain controller?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O
Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
Darragh (aka Darren) O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE?
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5B08.7CA11AB0]
[cid:image002.jpg@01CB5B08.7CA11AB0]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 09/23/2010 10:24 AM |
| Also, one last thing, whats the forest/domain functional levels at in the
domains/forest? Are there a mixture of |DC OSs. if so, what os holds the
FSMO roles or PDC role?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
It does this from W2K3 as well, but is definitely worth a try,
Will get back to you with some hopefully good news :-)
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:14
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to
no avail
not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain
controller?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O :-)
Anything with URA is showing as a SID, only the well known SIDS resolve,
psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command
line using psgetsid.exe or the like?
Darragh (aka Darren) OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the
brain!!!
The security principles are in the resource domain (trusting), I set up the
trust both ways and slowly but surely the names started to resolve, not
going to be very good for my design though! I am going to have to install a
console in each of the five domains opposed to two consoles in the
Management Domain, think this must be a bug with the GPE code. If the
settings can be found via the delegation tab within the settings, then
surely this should also work within GPE? :-(
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing
.
Also, are the security principals that arent resolving in the management
domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!) :-)
What settings are you looking at in GPE specifically? GPMC caches scope and
delegation data as far as I remember. Are you running gpmc from a desktop
machine? Sometimes when SIDs wont resolve to names, it means trust has been
lost between the workstation and the domain or that those accounts have been
deleted from the domain hence the SID cannot be resolved
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thats correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking Edit on the context menu, the
SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is
it a global catalogue?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management
domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved,
when looking at the accounts from within GPE, they are returned as SIDs has
anyone seen this before?
Thanks,
MESD Final Logo 50mm.tif
axadef2.bmp
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à
l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
| Shanzao
Posts:45
| | 09/23/2010 10:32 AM |
| FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 - 2003 Domains as well, all DC OS's are 2003 and terminal servers are either W2K8 R2 or W2K3 R2
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Also, one last thing, what's the forest/domain functional levels at in the domains/forest? Are there a mixture of |DC OS's. if so, what os holds the FSMO roles or PDC role?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
It does this from W2K3 as well, but is definitely worth a try,
Will get back to you with some hopefully good news
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:14
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to no avail... not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain controller?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O
Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
Darragh (aka Darren) O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE?
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5B0A.35839ED0]
[cid:image002.jpg@01CB5B0A.35839ED0]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 09/23/2010 10:35 AM |
| And did you say all the well known SIDS resolve ok?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:30
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT
Domain, but this is also happening with 2003 2003 Domains as well, all DC
OSs are 2003 and terminal servers are either W2K8 R2 or W2K3 R2
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Also, one last thing, whats the forest/domain functional levels at in the
domains/forest? Are there a mixture of |DC OSs. if so, what os holds the
FSMO roles or PDC role?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
It does this from W2K3 as well, but is definitely worth a try,
Will get back to you with some hopefully good news :-)
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:14
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to
no avail
not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain
controller?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O :-)
Anything with URA is showing as a SID, only the well known SIDS resolve,
psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command
line using psgetsid.exe or the like?
Darragh (aka Darren) OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the
brain!!!
The security principles are in the resource domain (trusting), I set up the
trust both ways and slowly but surely the names started to resolve, not
going to be very good for my design though! I am going to have to install a
console in each of the five domains opposed to two consoles in the
Management Domain, think this must be a bug with the GPE code. If the
settings can be found via the delegation tab within the settings, then
surely this should also work within GPE? :-(
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing
.
Also, are the security principals that arent resolving in the management
domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!) :-)
What settings are you looking at in GPE specifically? GPMC caches scope and
delegation data as far as I remember. Are you running gpmc from a desktop
machine? Sometimes when SIDs wont resolve to names, it means trust has been
lost between the workstation and the domain or that those accounts have been
deleted from the domain hence the SID cannot be resolved
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thats correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking Edit on the context menu, the
SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is
it a global catalogue?
Darragh OShaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management
domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved,
when looking at the accounts from within GPE, they are returned as SIDs has
anyone seen this before?
Thanks,
MESD Final Logo 50mm.tif
axadef2.bmp
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à
l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no.
1854856) which has its registered office at 5 Old Broad Street, London EC2N
1AD, England.
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of The AXA UK Plc
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA UK Plc Group accept no liability for any damage caused by
any virus transmitted by this email.
| | | |
| Shanzao
Posts:45
| | 09/23/2010 10:56 AM |
| That's correct, Things Like Administrators, Authenticated Users and System...
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:34
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
And did you say all the well known SIDS resolve ok?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:30
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 - 2003 Domains as well, all DC OS's are 2003 and terminal servers are either W2K8 R2 or W2K3 R2
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Also, one last thing, what's the forest/domain functional levels at in the domains/forest? Are there a mixture of |DC OS's. if so, what os holds the FSMO roles or PDC role?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
It does this from W2K3 as well, but is definitely worth a try,
Will get back to you with some hopefully good news
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:14
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to no avail... not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain controller?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O
Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
Darragh (aka Darren) O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE?
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
[cid:image001.jpg@01CB5B0D.C2880E30]
[cid:image002.jpg@01CB5B0D.C2880E30]
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| Shanzao
Posts:45
| | 09/23/2010 11:55 AM |
| No Joy after applying the fix
Looks like its going to be a GPA console in each of the domains... Unless by some kind of Magic GPA stops using MS native tools in there next patch... hummm
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:34
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
And did you say all the well known SIDS resolve ok?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:30
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 - 2003 Domains as well, all DC OS's are 2003 and terminal servers are either W2K8 R2 or W2K3 R2
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Also, one last thing, what's the forest/domain functional levels at in the domains/forest? Are there a mixture of |DC OS's. if so, what os holds the FSMO roles or PDC role?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
It does this from W2K3 as well, but is definitely worth a try,
Will get back to you with some hopefully good news
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:14
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to no avail... not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain controller?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O
Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
Darragh (aka Darren) O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE?
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| omar
Posts:97
| | 09/23/2010 6:50 PM |
| After the patch you have to do some manual editing of files- did you do that?
One thing I was wondering as I looked through this thread-has the DNS configuration-both on the NIC of the machine you are running GPMC and GPOE (editor) been reviewed?
In some cases netbios resolution can work but in other cases DNS needs to work 100% to resolve sids.
Now I have not tried to reproduce this and the fact that there is a hotfix- eludes to the fact that this is a bug-but I have done this several times before but I haven't come across this yet.
Can you detail the domain/forest configuration of the environment a bit.
Are there multiple forests?
Single forest multiple trees?
All domains in the same forest- and if so- what are the domain relationships?
I assume with the fact that you started with a one-way trust and then changed to a two-way trust you have multiple forests?
I would start with DNS review 1st on the DCs in both domains and the clients as well.
DNS forwarding, DNS search suffixes, etc.
Omar
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Thursday, September 23, 2010 3:53 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
No Joy after applying the fix
Looks like its going to be a GPA console in each of the domains... Unless by some kind of Magic GPA stops using MS native tools in there next patch... hummm
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:34
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
And did you say all the well known SIDS resolve ok?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:30
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 - 2003 Domains as well, all DC OS's are 2003 and terminal servers are either W2K8 R2 or W2K3 R2
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Also, one last thing, what's the forest/domain functional levels at in the domains/forest? Are there a mixture of |DC OS's. if so, what os holds the FSMO roles or PDC role?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
It does this from W2K3 as well, but is definitely worth a try,
Will get back to you with some hopefully good news
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:14
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to no avail... not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain controller?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O
Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
Darragh (aka Darren) O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE?
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
| DarraghOShaughnessy
Posts:177
| | 09/23/2010 8:47 PM |
| I think he verified dns outside of gpmc but I may be wrong. It might be worth at this stage running a net trace to see if the app us even trying to resolve the names and what server it's using to do this
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
On 23 Sep 2010, at 18:49, "Omar Droubi" <xxxxxxxxxxxxxxxx> wrote:
> After the patch you have to do some manual editing of files- did you do that?
>
>
>
> One thing I was wondering as I looked through this thread—has the DNS configuration-both on the NIC of the machine you are running GPMC and GPOE (editor) been reviewed?
>
>
>
> In some cases netbios resolution can work but in other cases DNS needs to work 100% to resolve sids.
>
>
>
> Now I have not tried to reproduce this and the fact that there is a hotfix- eludes to the fact that this is a bug-but I have done this several times before but I haven’t come across this yet.
>
>
>
> Can you detail the domain/forest configuration of the environment a bit.
>
>
>
> Are there multiple forests?
>
>
>
> Single forest multiple trees?
>
>
>
> All domains in the same forest- and if so- what are the domain relationships?
>
>
>
> I assume with the fact that you started with a one-way trust and then changed to a two-way trust you have multiple forests?
>
>
>
> I would start with DNS review 1st on the DCs in both domains and the clients as well.
>
> DNS forwarding, DNS search suffixes, etc.
>
>
>
> Omar
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: Thursday, September 23, 2010 3:53 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> No Joy after applying the fix L
>
>
>
> Looks like its going to be a GPA console in each of the domains… Unless by some kind of Magic GPA stops using MS native tools in there next patch… hummm
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
> Sent: 23 September 2010 10:34
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> And did you say all the well known SIDS resolve ok?
>
>
>
> Darragh O’Shaughnessy
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: 23 September 2010 10:30
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 – 2003 Domains as well, all DC OS’s are 2003 and terminal servers are either W2K8 R2 or W2K3 R2
>
>
>
> Sean
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
> Sent: 23 September 2010 10:23
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Also, one last thing, what’s the forest/domain functional levels at in the domains/forest? Are there a mixture of |DC OS’s. if so, what os holds the FSMO roles or PDC role?
>
>
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: 23 September 2010 10:17
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> It does this from W2K3 as well, but is definitely worth a try,
>
>
>
> Will get back to you with some hopefully good news J
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
> Sent: 23 September 2010 10:14
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> So authenticated users do not have this right at that DC
>
>
>
> Similar issue for windows 7:
>
>
>
> http://support.microsoft.com/kb/974639
>
>
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: 23 September 2010 10:09
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Was not added, I have just added both Terminal Server and GPO MGMT group to no avail… not good at all!
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
> Sent: 23 September 2010 09:44
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Hmmm, does your computer have the right:
>
>
>
> "Access this Computer from the Network" permission at the validating domain controller?
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: 23 September 2010 09:41
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> User Rights Assignment ;-)
>
>
>
> Sean
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
> Sent: 23 September 2010 09:41
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Excuse my acronym ignorance but what is URA?!
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: 23 September 2010 09:37
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Im never going to do live this down :-O J
>
>
>
> Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
>
>
>
> Sean
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
> Sent: 23 September 2010 09:35
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> HI,
>
> Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
>
>
>
> Darragh (aka Darren) O’Shaughnessy
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: 23 September 2010 09:31
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
>
>
>
> The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE? L
>
>
>
> Sean
>
>
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
> Sent: 22 September 2010 17:52
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Yea, I was wondering how I had gotten onto the thread without contributing .
>
>
>
> Also, are the security principals that aren’t resolving in the management domain or resource domain?
>
>
>
> Darren
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
> Sent: Wednesday, September 22, 2010 9:51 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Its Darragh actually (Irish name!) J
>
>
>
> What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
>
>
>
> Darragh O’Shaughnessy
>
>
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: 22 September 2010 16:54
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> That’s correct Darren, this is a very strange occurance!!!
>
>
>
> Connected to the PDC emulator which is also a GC
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
> Sent: 22 September 2010 15:40
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> i.e. when connected into GPMC and clicking ‘Edit’ on the context menu, the SID are present in the GPO editor as opposed to the names?
>
>
>
> What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
>
>
>
>
>
> Darragh O’Shaughnessy
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
> Sent: 22 September 2010 15:29
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Problems with resolution of accounts from mgmt domain
>
>
>
> Hi all,
>
>
>
> I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
>
>
>
> When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID’s has anyone seen this before?
>
>
>
> Thanks,
>
>
>
>
>
>
>
>
>
>
>
> Sean McCarthy
>
> Technical Services
>
> AXA Tech MESD Region (UK)
>
>
>
>
>
> eMail: xxxxxxxxxxxxxxxx
>
> Int: 748 4805
>
> Tel: +44 (0) 1253 684805
>
> P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
>
>
>
>
>
>
>
>
> This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
>
> This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
>
> Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
>
> Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
>
> Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
>
>
| | | |
| Shanzao
Posts:45
| | 09/24/2010 9:43 AM |
| Hi Omar,
Have looked at DNS, appears not to be an issue... the forest both share the same 2 DNS servers (Vital)
This is between two forests, 2 domains per forest, Root/Child.
The patch has not worked....
There is now a call opened with Microsoft,
Darragh... My email was open and you were noted by the MS Consultant ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Omar Droubi
Sent: 23 September 2010 18:48
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
After the patch you have to do some manual editing of files- did you do that?
One thing I was wondering as I looked through this thread-has the DNS configuration-both on the NIC of the machine you are running GPMC and GPOE (editor) been reviewed?
In some cases netbios resolution can work but in other cases DNS needs to work 100% to resolve sids.
Now I have not tried to reproduce this and the fact that there is a hotfix- eludes to the fact that this is a bug-but I have done this several times before but I haven't come across this yet.
Can you detail the domain/forest configuration of the environment a bit.
Are there multiple forests?
Single forest multiple trees?
All domains in the same forest- and if so- what are the domain relationships?
I assume with the fact that you started with a one-way trust and then changed to a two-way trust you have multiple forests?
I would start with DNS review 1st on the DCs in both domains and the clients as well.
DNS forwarding, DNS search suffixes, etc.
Omar
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: Thursday, September 23, 2010 3:53 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
No Joy after applying the fix
Looks like its going to be a GPA console in each of the domains... Unless by some kind of Magic GPA stops using MS native tools in there next patch... hummm
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:34
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
And did you say all the well known SIDS resolve ok?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:30
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
FFL and DFL is currently 2000 in the Resource Domain and 2003 in the MGMT Domain, but this is also happening with 2003 - 2003 Domains as well, all DC OS's are 2003 and terminal servers are either W2K8 R2 or W2K3 R2
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Also, one last thing, what's the forest/domain functional levels at in the domains/forest? Are there a mixture of |DC OS's. if so, what os holds the FSMO roles or PDC role?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:17
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
It does this from W2K3 as well, but is definitely worth a try,
Will get back to you with some hopefully good news
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 10:14
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
So authenticated users do not have this right at that DC
Similar issue for windows 7:
http://support.microsoft.com/kb/974639
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 10:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Was not added, I have just added both Terminal Server and GPO MGMT group to no avail... not good at all!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Hmmm, does your computer have the right:
"Access this Computer from the Network" permission at the validating domain controller?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
User Rights Assignment ;-)
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:41
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Excuse my acronym ignorance but what is URA?!
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:37
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Im never going to do live this down :-O
Anything with URA is showing as a SID, only the well known SIDS resolve, psgetsid works///
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 23 September 2010 09:35
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
HI,
Which settings are they? Also, have you resolve them ok from the command line using psgetsid.exe or the like?
Darragh (aka Darren) O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 23 September 2010 09:31
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Thanks Darragh (I should know better!!!) I must have had Darren on the brain!!!
The security principles are in the resource domain (trusting), I set up the trust both ways and slowly but surely the names started to resolve, not going to be very good for my design though! I am going to have to install a console in each of the five domains opposed to two consoles in the Management Domain, think this must be a bug with the GPE code. If the settings can be found via the delegation tab within the settings, then surely this should also work within GPE?
Sean
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 22 September 2010 17:52
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Yea, I was wondering how I had gotten onto the thread without contributing .
Also, are the security principals that aren't resolving in the management domain or resource domain?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: Wednesday, September 22, 2010 9:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
Its Darragh actually (Irish name!)
What settings are you looking at in GPE specifically? GPMC caches scope and delegation data as far as I remember. Are you running gpmc from a desktop machine? Sometimes when SIDs wont resolve to names, it means trust has been lost between the workstation and the domain or that those accounts have been deleted from the domain hence the SID cannot be resolved
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 16:54
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
That's correct Darren, this is a very strange occurance!!!
Connected to the PDC emulator which is also a GC
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 22 September 2010 15:40
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Problems with resolution of accounts from mgmt domain
i.e. when connected into GPMC and clicking 'Edit' on the context menu, the SID are present in the GPO editor as opposed to the names?
What Domain controller is GPMC connected to? Is it in your local site and is it a global catalogue?
Darragh O'Shaughnessy
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of MCCARTHY Sean (AXA-TECH-UK)
Sent: 22 September 2010 15:29
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Problems with resolution of accounts from mgmt domain
Hi all,
I am just looking at implementing a tool that is going into a Management domain that has a one way trust into the resource domain.
When looking at settings from within GPMC, all of the accounts are resolved, when looking at the accounts from within GPE, they are returned as SID's has anyone seen this before?
Thanks,
Sean McCarthy
Technical Services
AXA Tech MESD Region (UK)
eMail: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Int: 748 4805
Tel: +44 (0) 1253 684805
P Please consider the environment before printing this message/ Pensez à l'environnement avant d'imprimer ce message
This email originates from AXA Technology Services UK Limited (reg. no. 1854856) which has its registered office at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of The AXA UK Plc Group.
Email transmission cannot be guaranteed to be secure, or error free as information could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a result of the transmission process. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for viruses. The AXA UK Plc Group accept no liability for any damage caused by any virus transmitted by this email.
| | | |
|
|