the NT Authority\system group is missed from one of our forests
Hello Experts,
One of my customers run a multi forest environment, one for QA, another one for DEV and production. All are independent forests with some sort of one way trust-relationship.
I am dealing with an issue in QA where it seems like the NT\Authority\system groups is not present and ADUC query is not returning any queries against that.
This group is present in production and DEV, and their feedback is they do not remember having deleted this group in the past, and people who used to work on this department is gone.
Windows 2012 R2 standard edition is the OS running on all DCs, and they have one forest root empty domain, and one child domain per each forest.
Can someone please provide step by step instructions to recover this group ?
Thank you in advance
One of my customers run a multi forest environment, one for QA, another one for DEV and production. All are independent forests with some sort of one way trust-relationship.
I am dealing with an issue in QA where it seems like the NT\Authority\system groups is not present and ADUC query is not returning any queries against that.
This group is present in production and DEV, and their feedback is they do not remember having deleted this group in the past, and people who used to work on this department is gone.
Windows 2012 R2 standard edition is the OS running on all DCs, and they have one forest root empty domain, and one child domain per each forest.
Can someone please provide step by step instructions to recover this group ?
Thank you in advance
McKnife
That's no group, but a built-in account, which exists anywhere ("the system account"). What makes you think it's deleted? (Can't be deleted)
ASKER
When i search that account is not present in AD for this particular forest.
ASKER
Can I please get another feedback?
ASKER
Any updates?
I have to agree with McKnife. there is no "System" account in AD. You can add the NTAuthority\System account to a share or NTFS permissions. You can even Delegate Authority to it but a normal Query in ADUC will not return it. Can you share a Screenshot of the query that shows it in the other domains?
ASKER
my question is how to recover the built-in system group or account, also known as NT Authority\System or local system
ASKER
is there a way to search system account or group by SID? AD screenshot is not possible, but i can tell you that for other forests is there as a group
Yup. I understand your question but since I have never heard of it being deleted (As far as I know, it can't), There is no way to recover. Where in AD is it as a Group? In what OU/Container?
ASKER
Under groups\security in AD
Since that is not a default container or OU, I assume it is something your people made. If you want to see if the group actually exists, Select the properties of any Domain or OU in AD and select the security tab. Is System missing from the ACL?
ASKER
omg, the system group is there listed under security tab.
so, why i am not able to query and see in AD?
so, why i am not able to query and see in AD?
It's the local system account, unique to that machine. It exists in AD, and is seen as the machine itself, the DC itself ("DCname$"). So yes, you can for example add it to ACLs or even groups if you stop filtering for users but filter for computer accounts instead.
NTAuthority\system is present on all computers and is not represented by an object. It represents the system itself. In that way, it is similar to Authenticated users and other Special identities. I don't know what you see in the other domains but I suspect someone made up a group for a different reason.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's not quite clear to me what you wanted to do with that account. Anyway, the remarks "it is not an account" and "In terms of AD it is effectively a foreign security principal" are misleading. Yes, the documentation says
Object Class: Foreign Security Principalbut, as said before, the system account is of course an account in AD (namely, the computer itself, as listed in computer accounts) and can be used as such in any ACL and for any purpose of authentication.