Re: Domain groups show up as a SID

From: Mike (mjl000@hotmail.com.nospam)
Date: 02/14/03 

From: "Mike" <mjl000@hotmail.com.nospam>
Date: Fri, 14 Feb 2003 10:46:54 GMT

James,

I think your system is working correctly. I believe that is the way security
Permissions work 2000 depending upon the level of security for your domain and
depending upon how your PC is configured, but I may be wrong.
If you logon as a member of a Domain Admins group, but the Local Admins group is
not part of any Domain group or the Domain Admins group is not a member of the
Local Admins group, they are in different, unrelated security groups.

So if the Domain Admin group has an account named Administrator and the Local
Administrators group has an account named Administrator (by default both exist),
even though the names are the same, they are in two separate security entities
that don't see or communicate with each other. That's why when you logon with
the Local Administrator account (it could have the same password), you only see
SID's for all Permissions viewed and granted to any Domain Account. If you turn
around and logon with the Domain Administrators account and view the
permissions, then alternately the Permissions granted to the Local Administrator
account (or any Local user account) appear with SID's.

Ensure that your Local Power User doesn't change any permissions or it could
screw things up for your other local account users, although it is not likely to
affect your Domain Admin account. Your Domain Admin account can always seize
ownership of resources and directories if needed. The domain policies have
precedence over local security policies when the PC is a member of a domain.

"James Raaymakers" <jamesraa@pacbell.net> wrote in message
news:01c701c2d390$bccc9270$a101280a@phx.gbl...
| Thanks Mike,
| I am logging on the local client machines with a user
| account that is a member of the Domain Admins group when I
| view the members of the computers local groups and see
| SIDS instead of names. If I add another domain user or
| group I'll see the name until I click the apply button,
| then the name changes to the SID for the account. I get no
| errors nor am I asked to provide domain credentials to
| access the domain accounts list like you would be if you
| were not logged on with a domain account. Permissions
| appear to work fine for the domain groups. Logging on with
| domain accounts is fine. There are no individual domain
| accounts added to the clients. Just the Domain users group
| in the local Power Users Group. ( For my daughters legacy
| games to run ).
|
| James
|
|
| >-----Original Message-----
| >Don't remove and re-add groups. When you do so, the new
| group is not the same
| >as the old group even if the permissions and names are
| the same.
| >
| >If the local user you are logged on with is not a member
| of the domain (like
| >admin, users) then you will see SID's cause the username
| is unknown to the local
| >user (they don't comm with each other or the server since
| the local admin/user
| >is not in the domain.)
| >
| >
| >"James Raaymakers MCSE" <jamesraa@pacbell.net> wrote in
| message
| >news:026701c2d2f0$a819ead0$a101280a@phx.gbl...
| >| Hi all,
| >| I have a WIndows 2000 Active Directory Domain in
| >| Native mode. When I view the members of the local groups
| >| on a client or member server the domain groups show as
| >| SIDs. So I cannot tell which is which. Removing and
| >| readding the groups has no effect. removing the computer
| >| from then readding it to the domain also has no effect.
| >| Can anyone help? Thanks.
| >
| >
| >.
| >