Page 1 of 1
Domain Controller Help!
Posted: Fri Jan 28, 2005 11:48 am
by chugger93
Ok I messed up something big time and I could use a hand.
I was in AD, and opened up Domain controllers container which contains the computer name of my domain controller (fileserver)
I was in it setting up permissions for RIS, and denied everything on the Authenticated Users, because I was testing something. I didnt think authenticted users would jack up the Administrator account! (stupid me)
Of course now, I cant click on the FILESERVER computer, because I get this msg
THe specified directory service attribute or value does not exist.
I need to reset those permissions somehow! I tried delegation but that doesnt work!
ANy ideas?
Posted: Fri Jan 28, 2005 11:54 am
by chugger93
Ok it works kinda now. I can get to the security tab, however I still get that error msg. Authenticated Users has all permissions now like it was before. Now why would I get that error msg still though
Posted: Tue Feb 01, 2005 2:50 pm
by koldchillah
Someone please correct me if I'm wrong, but you shouldn't have to give authenticated users full control. If you are logged on with a domain admin account, the permissions for 'authenticated users' should not apply b/c you are receiving higher permissions from the domain admin group.
The 'authenticated users' permissions apply to anyone who is authenticated on the domain but NOT explicitly assigned permissions via another group.
Have you logged off/on again? Anything funky showing up in the event logs relating to this error your getting?
Posted: Thu Feb 10, 2005 11:38 am
by Tekmazter
koldchillah wrote:Someone please correct me if I'm wrong, but you shouldn't have to give authenticated users full control. If you are logged on with a domain admin account, the permissions for 'authenticated users' should not apply b/c you are receiving higher permissions from the domain admin group.
The 'authenticated users' permissions apply to anyone who is authenticated on the domain but NOT explicitly assigned permissions via another group.
Have you logged off/on again? Anything funky showing up in the event logs relating to this error your getting?
There's actually a couple different strategies being used with this group. In the Windows 2000 operating system groups such as Everyone and Authenticated Users whose membership is automatically configured by the operating system are not used to assign permissions. They are controlled specifically by the OS. So, in the case of koldchillah's statement, I would say he's right.
HOWEVER:
It has become more common place for admins to use the Authenticated user group to assign NTFS permissions rather than using the EVERYONE group. This is because EVERYONE includes null sessions which of course aren't authenticated. In terms of the orginal question however, I do not believe you should be granting FULL CONTROL to the Authenticated Users group here.