stonelaughter

OK, I have been having issues with folder permissions on a Windows Server 2003 box which is a member of a domain (within a fairly substantial forest). Let's call the domain "dom.orgsn.net"

One of the problems I have is that (logged in as a Domain Admin of dom.orgsn.net), I find a folder which does not have "Administrators --> Full Control" on it. I try to correct it, however when I type "Administrators" in the "Select User, Computer or Group" dialog, I get the answer

"An object (User, Group, or built-in security proncipal) with the following name cannot be found: "administrators". Check the selected object types for accuracy and ensure you have typed the object name correctly, or remove this object from the selection."

In the "Object type" I have "User, group or built-in security principal" selected. In the "from this location" field I have "dom.orgsn.net" selected.

If I try to narrow the search down, by selecting "dom.orgsn.net\BuiltIn" as the location, and typing simply "A" as the object name, it returns a list of "Authenticated Users" and "Anonymous logon". No Administrators group. Looking in AD Users and Computers confirms that this group does actually exist.

***?!?! LOL

Please help?

crazijoe

Try "Domain Admin".

stonelaughter

That wasn't actually my question. I'm not a paper MCSE I'm a real one.

I want to know why I can't add BuiltIn\Administrators... in fact it seems to extend to all domain local groups; I can't give Domain Local Groups permissions to files...

crazijoe

What's your point.

stonelaughter

Just that I'm not dim; I do know about the Domain Admins group. That was not however what I was trying to accomplish. I saw your reply as patronising and possibly even contemptuous; either that or you assumed that I was not asking the question I wanted answered.

Have you any idea then, why I cannot add Domain Local Groups (including "Administrators") to a folder's permissions?

crazijoe

Builtin groups cannot be used the way you want. They are designed to be used on the domain controllers and the domain controllers only for delegation purposes.
You may need to create the DLGs for each of the domains under the users folder in AD. But as far as I know you cannot use BuiltIn groups in that manner.

whardman

If you are looking to add full DOMAIN administrator privileges on a computer/server that is not a domain controller then you must use "Domain Admins". "Administrator" is only available as a local group. If you want to add the local administrator then change the location to the local computer/server.

whardman

This is impossible. You can only add local permissions on the local computer. You cannot add local permissions on a remote computer.

stonelaughter

I have clearly made the distinction here between DOMAIN LOCAL and LOCAL.

I initially tried to add dom.orgsn.net\builtin\administrators to the ACL for a folder. It's clear from the above (thanks crazijoe) that this wouldn't work. However, I also tried to add dom.orgsn.net\dom groups\other group (whose scope is DOMAIN LOCAL) to the ACL for a folder. I could not even SEE the group, never mind add it to the ACL.

There are four scopes remember? Local (on an individual computer), DOMAIN LOCAL (visible only within the domain), Domain Global and Universal.

whardman

WRONG! There are four scopes:
Local (on an individual computer)
DOMAIN LOCAL ( ONLY VISIBLE ON DOMAIN CONTROLLER(S))
Domain Global (Seen within the domain)
Universal (seen throughout the forest)

I have tested it!! You seem to have come to the same conclusion but don't seem to believe it.

stonelaughter

FFS - I'm gonna ask on a different forum I think...

See below from http://technet2.microsoft.com/Window....mspx?mfr=true

whardman

It can't access a local group on another computer either. If you can figure out how to do this let me know because it doesn't work for me either.

BTW, what mode is the domain in ... I have been assuming the default Windows 2000 mixed.

bilbus

sounds like somone needs to reread some of the test materials.

builtin local, is not the same as domain local

stonelaughter

FFS I am NOT TALKING ABOUT LOCAL GROUPS!!!

The domain/forest are in Native/Windows Server 2003 Mode.

**** you lot I'm leaving - you're not listening to a ******* word I say.

Horse

Perhaps that would be the best route for you since you have taken to having tantrums and bad mouthing people who are offering their advice in good faith in their attempt to help you. The fact you are getting frustrated, is not an excuse for bad behaviour. Control your emotions or follow you own advice and go to a different forum before I ban you from this one.

Cellus

If the folder you are trying to reference is outside the DC, such as on a separate file server, then referencing the Built-in Domain Locals will not work. Built-in DLs should be considered to be the same thing as Built-in Local groups, except that since DCs share databases, they refer to all the DCs (but only the DCs) in that domain. Built-in Domain Locals and regular Domain Locals are actually two different beasts of the same species.

NoPaperMCSE

Stonelaughter -

I feel your frustration. I found this forums site because I was experiencing the exact same issue you described in your posts. As I was following this thread I found myself getting frustrated with everyone's inability to grasp the essence of this simple question. This is the prime example of why MSFT exams take such heated criticism - too easy to acquire the certification without knowing the material.

Anyway, I found the answer to 'our' question - http://support.microsoft.com/kb/279835



Horse -

Give the guy a break. He's trying to find a resolution to his problem on a "technical" forum and the only support he's getting is from those who have no clue what they are talking about. His frustration is based on the fact that he's already explained the difference between Local Groups and Domain Local Groups, which should have been clearly understood from the very first post. If you don't understand the difference between these two groups, you need to go back and study the MSFT MCSE material again.