Ownership of Authenticated Users Special Identity

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

What should the entry in the Local Users Group be for the Authenticated Users
Group on an XP workstation joined to a Domain? Should it be:

"domainname"\Authenticated Users

OR

NT AUTHORITY\Authenticated Users (S-1-5-11)

The reason I am asking is because of an updates problem experienced on a
client network - updates failed unless the computer was unjoined from domain
- temp fix of adding Domain admins to Backup and Restore User Rights. But
more looking shows many, many settings with a SID rather than User\Group name
on GPO settings - in particular the Local Users Group which shows the NT
AUTHORITY entry above.

I was expecting to find the Authenticated Users group owned by the Domain
not by the NT Authority. When looking further the NT Authority\Authenticated
Users group (identified by SID) is represented by a user icon in the Foreign
Security Principle Container.

Can this be a carryover from an NT 4 migration? I have only recently come on
the scene for this company and have found a number of anomalies to fix.

I will appreciate any insights into this issue.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

If the accounts are showing as sids, I would think it's a DNS issue. Ensure
the workstations are pointing to only internal DNS servers, and set up
forwarders on the DNS servers (those should be on DC's)

hth

Ken

"Littlelegs" <Littlelegs@discussions.microsoft.com> wrote in message
news:B908F31F-5A15-4C60-AABD-6233443A3C67@microsoft.com...
> What should the entry in the Local Users Group be for the Authenticated
> Users
> Group on an XP workstation joined to a Domain? Should it be:
>
> "domainname"\Authenticated Users
>
> OR
>
> NT AUTHORITY\Authenticated Users (S-1-5-11)
>
> The reason I am asking is because of an updates problem experienced on a
> client network - updates failed unless the computer was unjoined from
> domain
> - temp fix of adding Domain admins to Backup and Restore User Rights. But
> more looking shows many, many settings with a SID rather than User\Group
> name
> on GPO settings - in particular the Local Users Group which shows the NT
> AUTHORITY entry above.
>
> I was expecting to find the Authenticated Users group owned by the Domain
> not by the NT Authority. When looking further the NT
> Authority\Authenticated
> Users group (identified by SID) is represented by a user icon in the
> Foreign
> Security Principle Container.
>
> Can this be a carryover from an NT 4 migration? I have only recently come
> on
> the scene for this company and have found a number of anomalies to fix.
>
> I will appreciate any insights into this issue.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Well only some of them are showing that way. The Domain users group is
showing as "domain-name"\Domain users - just not the Authenticated users
group.

I will check the DNS to make sure though - never can check DNS too much!

"Ken B" wrote:

> If the accounts are showing as sids, I would think it's a DNS issue. Ensure
> the workstations are pointing to only internal DNS servers, and set up
> forwarders on the DNS servers (those should be on DC's)
>