When you run the Gpresult.exe tool on a Windows Server 2003-based domain controller, incorrect computer account group memberships may be displayed (889501)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
SYMPTOMSWhen you run the Gpresult.exe command-line tool on a Microsoft Windows Server 2003-based domain controller, the following computer account group memberships may be unexpectedly displayed:
Administrators
Everybody
Authenticated Users Additionally, when you run the Gpresult.exe tool on a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller in a particular situation, the following incorrect computer account group memberships may be displayed: BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
ComputerName$
Domain Computers In these results, the domain controller is listed as a member of the Domain Computers security group instead of as a member of the Domain Controllers security group. You will experience this issue on a Windows Server 2003 SP1-based domain controller when you run the Gpresult.exe tool in the following way: - You already have one domain controller that is configured by using DNS.
- You add one Windows Server 2003 SP1-based member server to this domain.
- You create a new organizational unit (OU) on the domain controller that is mentioned in step 1 and then move the security group "domain controllers" inside the new OU.
- Make the Windows Server 2003 SP1-based member server that is mentioned in step 2 a domain controller that is joined to the domain that is mentioned in step 1.
- Run the Gpresult.exe tool at a command prompt on the domain controller that is mentioned in step 4 .
By default, when you run the Gpresult.exe tool on a Windows Server 2003-based domain controller, the following computer account group memberships are listed: BUILTIN\Administrators
Everyone
BUILTIN\ Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
ComputerName$
Domain Controllers CAUSEThis issue may occur because of a race condition in the Net Logon service start time.RESOLUTIONTo resolve this issue immediately, follow these steps: - Disconnect the network connection, and then restart the domain controller.
- After the domain controller has started, reestablish the network connection, and then restart the domain controller again.
- Use the Gpresult.exe tool to verify that the computer account group memberships are correct.
To resolve this issue for future domain controller promotions on a Windows Server 2003-based computer without a service pack, join the server to a domain before you install the Active Directory directory service on the server. Note To install Active Directory on a server, run the Active Directory Install Wizard (Dcpromo.exe) at a command prompt. MORE INFORMATIONFor more information about the Gpresult.exe tool, type gpresult /? at the command prompt, and then press ENTER.
| Modification Type: | Major | Last Reviewed: | 8/17/2006 |
|---|
| Keywords: | kbwinservnetwork kbnetwork kbtshoot kbprb KB889501 kbAudITPRO |
|---|
|