Microsoft KB Archive/889501

= When you run the Gpresult.exe tool on a Windows Server 2003-based domain controller, incorrect computer account group memberships may be displayed =

Article ID: 889501

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-





SYMPTOMS
When you run the Gpresult.exe command-line tool on a Microsoft Windows Server 2003-based domain controller, the following computer account group memberships may be unexpectedly displayed:

Administrators

Everybody

Authenticated Users

Additionally, when you run the Gpresult.exe tool on a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller in a particular situation, the following incorrect computer account group memberships may be displayed:

BUILTIN\Administrators

Everyone

BUILTIN\Users

NT AUTHORITY\NETWORK

NT AUTHORITY\Authenticated Users

This Organization

$

Domain Computers

Note In these results, the domain controller is listed as a member of the Domain Computers security group instead of as a member of the Domain Controllers security group.

You will experience this issue on a Windows Server 2003 SP1-based domain controller when you run the Gpresult.exe tool in the following way:
 * 1) You already have one domain controller that is configured by using DNS.
 * 2) You add one Windows Server 2003 SP1-based member server to this domain.
 * 3) You create a new organizational unit (OU) on the domain controller that is mentioned in step 1 and then move the security group &quot;domain controllers&quot; inside the new OU.
 * 4) Make the Windows Server 2003 SP1-based member server that is mentioned in step 2 a domain controller that is joined to the domain that is mentioned in step 1.
 * 5) Run the Gpresult.exe tool at a command prompt on the domain controller that is mentioned in step 4.

By default, when you run the Gpresult.exe tool on a Windows Server 2003-based domain controller, the following computer account group memberships are listed:

BUILTIN\Administrators

Everyone

BUILTIN\ Pre-Windows 2000 Compatible Access

BUILTIN\Users Windows Authorization Access Group

NT AUTHORITY\NETWORK

NT AUTHORITY\Authenticated Users

This Organization

$

Domain Controllers



CAUSE
This issue may occur because of a race condition in the Net Logon service start time.



RESOLUTION
To resolve this issue immediately, follow these steps:
 * 1) Disconnect the network connection, and then restart the domain controller.
 * 2) After the domain controller has started, reestablish the network connection, and then restart the domain controller again.
 * 3) Use the Gpresult.exe tool to verify that the computer account group memberships are correct.

To resolve this issue for future domain controller promotions on a Windows Server 2003-based computer without a service pack, join the server to a domain before you install the Active Directory directory service on the server.

Note To install Active Directory on a server, run the Active Directory Install Wizard (Dcpromo.exe) at a command prompt.



MORE INFORMATION
For more information about the Gpresult.exe tool, type gpresult /? at the command prompt, and then press ENTER.

Keywords: kbtshoot kbnetwork kbprb kbwinservnetwork KB889501

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.