NAVIGATION
CATEGORIES
REFERRENCE
LINKS
Recreate BUILTIN\Incoming Forest Trust Builders
7 answers - 284 bytes -
Hi,
A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group.
Is it possible to recreate this group with the same well known SID?
Authoritative restore is out of the question, deletetion is too long ago.
Han Valk.
List archive:No.1 | | 700 bytes |
| 
I dont think so. objectsid attribute is a systemonly attribute. Personally I
am impressed of that "smart co-worker" that managed to delete it. According
to the AD Delegation appendices
not possible to move delete rename this group.
May be he exploited the dynamic objects feature in Windows 2003 RTM?
M@
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Hi,
A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders
group.
Is it possible to recreate this group with the same well known SID?
Authoritative restore is out of the question, deletetion is too long ago.
Han Valk.
List archive:No.2 | | 1646 bytes |
| I am wondering if there are ACLs defined on the group itself or the U above
to prevent you from seen it. Do you see it as the Administrator account of
the domain?
M@
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Problem is I don't see it anymore in the BUILTIN container. Strange thing
is
that if I look at the security of the domain object in ADUC Incoming
Forest
Trust Builders is there.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 10:22
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders
I dont think so. objectsid attribute is a systemonly
attribute. Personally I am impressed of that "smart
co-worker" that managed to delete it. According to the AD
Delegation appendices
<
its not possible to
move
delete rename this group.
May be he exploited the dynamic objects feature in Windows
2003 RTM?
--
M@
>
>
>
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Hi,
A smart co-worker deleted the BUILTIN\Incoming Forest
Trust Builders group.
Is it possible to recreate this group with the same
well known SID?
Authoritative restore is out of the question,
deletetion is too long ago.
Han Valk.
List archive:
>
>
>
>
List archive:No.3 | | 2318 bytes |
| By the way you are looking for this on the forest root right?
M@
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Yep logged in as Domain Admin.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 13:00
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders
I am wondering if there are ACLs defined on the group itself
or the U above to prevent you from seen it. Do you see it as
the Administrator account of the domain?
M@
--
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Problem is I don't see it anymore in the BUILTIN
container. Strange thing is
that if I look at the security of the domain object in
ADUC Incoming Forest
Trust Builders is there.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto: ActiveDir-owner (AT) mail (DOT) activedir.org
<mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 10:22
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders
I dont think so. objectsid attribute is a systemonly
attribute. Personally I am impressed of that "smart
co-worker" that managed to delete it. According to the AD
Delegation appendices
<
its
not possible to move
delete rename this group.
May be he exploited the dynamic objects feature in Windows
2003 RTM?
--
M@
>
>
>
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Hi,
A smart co-worker deleted the BUILTIN\Incoming Forest
Trust Builders group.
Is it possible to recreate this group with the same
well known SID?
Authoritative restore is out of the question,
deletetion is too long ago.
Han Valk.
List archive:
>
>
>
>
<>
List archive:
>
>
>
>
List archive:No.4 | | 2793 bytes |
| I also meant to view as Administrator. Not an account with domain admin
rights. There are subtle differences in certain scenarios. I was assuming
the ACLs on the object or the parent are possibly preventing you from
viewing the object. But I doubt its the case.
You arent using the list object (L) right are you?
M@
8/14/06, Matheesha Weerasinghe <matheesha (AT) gmail (DOT) comwrote:
By the way you are looking for this on the forest root right?
M@
--
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Yep logged in as Domain Admin.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 13:00
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders
I am wondering if there are ACLs defined on the group itself
or the U above to prevent you from seen it. Do you see it as
the Administrator account of the domain?
M@
--
8/14/06, Han Valk < Han.Valk (AT) falconhouse (DOT) netwrote:
Problem is I don't see it anymore in the BUILTIN
container. Strange thing is
that if I look at the security of the domain object in
ADUC Incoming Forest
Trust Builders is there.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto: ActiveDir-owner (AT) mail (DOT) activedir.org
<mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 10:22
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders
I dont think so. objectsid attribute is a systemonly
attribute. Personally I am impressed of that "smart
co-worker" that managed to delete it. According to the AD
Delegation appendices
<
its
not possible to move
delete rename this group.
May be he exploited the dynamic objects feature in Windows
2003 RTM?
--
M@
>
>
>
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Hi,
A smart co-worker deleted the BUILTIN\Incoming Forest
Trust Builders group.
Is it possible to recreate this group with the same
well known SID?
Authoritative restore is out of the question,
deletetion is too long ago.
Han Valk.
List archive:
>
>
>
>
<>
List archive:
>
>
>
>
List archive:
>
>
>No.5 | | 3050 bytes |
| Its only in the forest domain IIRC ;-)
M@
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
No? Child domain.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 17:38
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders
By the way you are looking for this on the forest root right?
M@
--
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Yep logged in as Domain Admin.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
<mailto:ActiveDir-owner (AT) mail (DOT) activedir.org>
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 13:00
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders
I am wondering if there are ACLs defined on the group itself
or the U above to prevent you from seen it. Do you see it as
the Administrator account of the domain?
M@
--
8/14/06, Han Valk < Han.Valk (AT) falconhouse (DOT) net
<mailto:Han.Valk (AT) falconhouse (DOT) netwrote:
Problem is I don't see it anymore in the BUILTIN
container. Strange thing is
that if I look at the security of the domain object in
ADUC Incoming Forest
Trust Builders is there.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto: ActiveDir-owner (AT) mail (DOT) activedir.org
<mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 10:22
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] Recreate
BUILTIN\Incoming Forest
Trust Builders
I dont think so. objectsid attribute is a systemonly
attribute. Personally I am impressed of that "smart
co-worker" that managed to delete it.
According to the AD
Delegation appendices
--
<
its
not possible to move
delete rename this group.
May be he exploited the dynamic objects
feature in Windows
2003 RTM?
--
--
M@
>
>
>
8/14/06, Han Valk <Han.Valk (AT) falconhouse (DOT) netwrote:
Hi,
A smart co-worker deleted the
BUILTIN\Incoming Forest
Trust Builders group.
Is it possible to recreate this group
with the same
well known SID?
Authoritative restore is out of the question,
deletetion is too long ago.
Han Valk.
<>
List archive:
<>
>
>
>
>
<>
List archive:
>
>
>
>
List archive:
>
>
>
>
List archive:No.6 | | 389 bytes |
| In light of the last post I've seen in this thread, are you absolutely sure
the account was deleted? I'm skeptical since you seem quite certain that
the deletion occurred in a child domain where this particular security
principal does NT exist.
Can you clarify the means by which the group was deleted, it may assist in
understanding what's going on here?No.7 | | 783 bytes |
| I'm not in a position to properly prove-out the existence and/or reason for
the child domain ACEs. However, the Incoming Forest Trust Builders group
uses a well-known SID of S-1-5-32-557, this kind of SID lacks domain
affiliation, i.e. it doesn't technically belong to any particular domain
within the forest and is subsequently deemed as "mine" by any DC attempting
to resolve it regardless of the domain they're in.
Note that the same is true to say of Administrators, for example - review
the ACL on the NC head of the ForestDNSzones partition when focused on a
DC/DNS server in the forest root domain, re-read the same ACL when focused
on a DC in a peer-root or child-domain note the claimed affiliation of
the Administrators ACE.
QUESTION ON "Windows"
- Passing string to Proc, using .NET
- I am really happy I got this nice thing on-line!
- No need to install MS Office?
- does anyone know a complete webbrowser manual because MSDN is not very helpful
- Windows 2003 R2 Issue
- New Project options are missing
- New Project options are missing
- execution of SQL Queries
- Restoring RID
- Unzustellbar / Undeliverably: Replica Watches, Handbags & Purses & Pens
- AN: Google Search Interface
- Windows 2003 R2 Issue
- memberOf and member link breaking
- Test Exception in WSocket
- Interesting multithreading issue: race condition whentriggering an event handler
- LDAP Ping
- Authoritative Restore problems
- Potentially useful tool and sample posted on my blog
- Setting FFL=2 automatically when building first DC in forest
- OT - Adding disclaimer on E2K3 on a SBS 2K3 box