NECC_Tech
asked on
Unknown account inheriting permissions to all GPO's?
Hi. Every time I create a GPO it has an unknown object in the permissions (on the delegation tab). See pic. I can't find where this is being pulled from. Any ideas? I'm running latest GPMC on Server 2008 r2.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I create a new GPO it exists in a container in GPMC called "Group Policy Objects", this container is not an OU and does not show in ADUC. In ADUC if I check the properties of the Domain object (the top container) and view Security, I see no unresolvable objects?
I tried sidresolver (neat utility), however it did not resolve the SID which is a relief as this would have opened another can of worms.
So it looks like I have assigned some sort of delegation at some level in AD to a user or group that I have since deleted. I have no idea where to look. Thanks for the comments so far.
I tried sidresolver (neat utility), however it did not resolve the SID which is a relief as this would have opened another can of worms.
So it looks like I have assigned some sort of delegation at some level in AD to a user or group that I have since deleted. I have no idea where to look. Thanks for the comments so far.
Best quess is to start at domain root and check security tab is sid there
ASKER
See my last reply, that is what I have done.
ASKER
Thanks for the pointer. It was indeed old users. They were in 2 places:
In the Delagation tab of the gpo
Within some of the group policy settings themselves
I searched through and deleted any occurrence where there was a SID and the problem was resolved.
In the Delagation tab of the gpo
Within some of the group policy settings themselves
I searched through and deleted any occurrence where there was a SID and the problem was resolved.
The accepted solution here is bs. This behaviour occurs simply by creating a gpo before assigning it to an ou so it can't be linked to an ou.
Scarily I have exactly the same issue with the SAM SID:
S-1-5-21-1631418629-166175
This is too much of a coincidence for me.
Anyony got any clues?
Scarily I have exactly the same issue with the SAM SID:
S-1-5-21-1631418629-166175
This is too much of a coincidence for me.
Anyony got any clues?
http://wingeek.com/software/sidresolver/
It will resolve the SID for you. If it resolves to something like NT Authority local service then you need to determine why it is not resolving in the first place. Could be registry related...