Announcement

Collapse
No announcement yet.

sids on gpos

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • sids on gpos

    Greetings,
    Sorry to repost about a topic I have seen elsewhere on the forums, I just really want to clarify something before I go ahead.
    In my default domain controller policy I have a large number of SIDs which I don't believe belong to my current domain. Problem is that I have inherited this domain setup and therefore am not 100% sure if these policies were created new when the domain was created or whether they were imported (which would possibly explain the large number of un-resolved names). Can I safely remove these SIDs or am I likely to seriously screw something up?
    Many thanks.
    James

  • #2
    Where are these SIDs - in the security filtering or somewhere else?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Sorry Ossian, it would have helped if I had put that wouldn't it. In the default domain controller policy, under computer\policies\windows settings\security settings\local policies/user rights assignment. I have pasted a part of it below. Our domain starts S-1-5-21-4112984153.

      Access this computer from the network
      BUILTIN\Pre-Windows 2000 Compatible Access,
      NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS,
      NT AUTHORITY\Authenticated Users,
      BUILTIN\Administrators,
      S-1-5-21-158852747-4042112980-3913221358-1004,
      S-1-5-21-158852747-4042112980-3913221358-1001,
      S-1-5-21-158852747-4042112980-3913221358-1000,
      Everyone,
      S-1-5-21-158852747-4042112980-3913221358-11261,
      S-1-5-21-158852747-4042112980-3913221358-11260,

      Act as part of the operating system
      S-1-5-21-158852747-4042112980-3913221358-500

      Add workstations to domain
      NT AUTHORITY\Authenticated Users

      Comment


      • #4
        THese are the worst ones

        Log on as a batch job
        BUILTIN\IIS_IUSRS,
        CANTELL\administrator,
        CANTELL\IIS_WPG,
        CANTELL\IWAM_DC02,
        S-1-5-21-158852747-4042112980-3913221358-11260,
        S-1-5-21-158852747-4042112980-3913221358-10031,
        BUILTIN,
        S-1-5-21-158852747-4042112980-3913221358-1006,
        S-1-5-21-158852747-4042112980-3913221358-1004,
        S-1-5-21-158852747-4042112980-3913221358-1001,
        S-1-5-21-158852747-4042112980-3913221358-1000,
        NT AUTHORITY\LOCAL SERVICE,
        S-1-5-21-158852747-4042112980-3913221358-500,
        S-1-5-21-158852747-4042112980-3913221358-11261,

        Log on as a service
        S-1-5-82-407754418-3410272814-2729077289-794550259-3295103753,
        S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415,
        S-1-5-21-158852747-4042112980-3913221358-10006,
        S-1-5-21-158852747-4042112980-3913221358-9216,
        S-1-5-21-158852747-4042112980-3913221358-1004,
        NT AUTHORITY\NETWORK SERVICE,
        S-1-5-21-158852747-4042112980-3913221358-500,
        S-1-5-21-158852747-4042112980-3913221358-11665,
        S-1-5-21-158852747-4042112980-3913221358-11669,
        CS-1-5-82-1036420768-1044797643-1061213386-2937092688-4282445334

        Comment


        • #5
          My experience with SIDS in GP or with NTFS security is: if it won't resolve, it's not important. Since you've got these SIDs as text to copy into this forum, you've got the documentation to re-instate any if something does go wrong. I'd say get rid, one SID or 2 at a time. If the same SID is shown in more than 1 place, try to get rid of that one in all the places at the same time. Give it a day, and restart your servers if at all possible. If nothing breaks, repeat as needed until you're happy.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment


          • #6
            That's pretty much my take on it too but I wanted to be sure before I did it. Problem is I don't know for sure if there are some permissions missing that should be there. I suppose the only way I'm going to find that out is resetting them to default but I don't think I should be doing that.

            Comment


            • #7
              Don't reset to default unless you have complete backups with system states to restore from. Just take a couple of the SIDs out and give it a few days, see if the sky starts to fall. If everything carries on as normal, pull a few more. Since not every SID has the same prefix string set, I'm wondering if your system ever had a trust set up with another domain, and users from that other domain had access to your local resources. I have had no such experience, but I mention it as a possibility in explaining where those SIDs came from.
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment

              Working...
              X