Click here to get back home

[Win2003Server] Lost local accounts on domain controler
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
[Win2003Server] Lost local accounts on domain controler Math 10-17-2005
Posted by Math on October 17, 2005, 9:39 am
Please log in for more thread options
 Hi,

I have a windows 2003 based server who's part of a domain, and who is a
domain controler itself.
My problem is the following: when trying to modify security settings on a
folder, i can't get the local accounts of the server. The only proposed
accounts are the domain accounts.

Any idea to recover those accounts?

Help much appriciated ;)




Posted by Steven L Umbach on October 17, 2005, 3:55 am
Please log in for more thread options
 There are no local user accounts on a domain controller other than the built
in administrator account that was created when you used dcpromo to promote
the server to a domain controller and is only available in Directory
Services Restore Mode or for Recovery Console. All other local accounts were
deleted when you promoted it to a domain controller. Local accounts do exist
and can be created on other domain members. -- Steve


> Hi,
>
> I have a windows 2003 based server who's part of a domain, and who is a
> domain controler itself.
> My problem is the following: when trying to modify security settings on a
> folder, i can't get the local accounts of the server. The only proposed
> accounts are the domain accounts.
>
> Any idea to recover those accounts?
>
> Help much appriciated ;)
>




Posted by Math on October 17, 2005, 12:01 pm
Please log in for more thread options
Thank you Steve for your explanation.



However, on some folders the server's "NT AUTHORITY\NETWORK SERVICE" user
(for instance) is still present in the security tab, but not listed in the
domain available users when searching the available users. Is it a special
kind of users? If yes, how can I set this user in a folder security
configuration on the same server?

Maybe should I create this user for the whole Domain?



Another related question:

I have another windows 2003 based server named MYSERVERXXX (for instance),
who is part of the domain, but is not a domain controller.

When modifying a folder's security configuration on another domain member
server, I can't find the IUSR_MYSERVERXXX user.

Do I need to promote MYSERVERXXX to a domain controller in order to get this
user on a other domain member server?



Thanks again for your answers ;)


Mathieu

> There are no local user accounts on a domain controller other than the
> built in administrator account that was created when you used dcpromo to
> promote the server to a domain controller and is only available in
> Directory Services Restore Mode or for Recovery Console. All other local
> accounts were deleted when you promoted it to a domain controller. Local
> accounts do exist and can be created on other domain members. -- Steve
>
>
>> Hi,
>>
>> I have a windows 2003 based server who's part of a domain, and who is a
>> domain controler itself.
>> My problem is the following: when trying to modify security settings on a
>> folder, i can't get the local accounts of the server. The only proposed
>> accounts are the domain accounts.
>>
>> Any idea to recover those accounts?
>>
>> Help much appriciated ;)
>>
>
>




Posted by Paul Adare on October 17, 2005, 6:30 am
Please log in for more thread options
microsoft.public.windows.server.security news group, Math

> Thank you Steve for your explanation.
>
>
>
> However, on some folders the server's "NT AUTHORITY\NETWORK SERVICE" user
> (for instance) is still present in the security tab, but not listed in the
> domain available users when searching the available users. Is it a special
> kind of users? If yes, how can I set this user in a folder security
> configuration on the same server?

You won't find this account when searching the domain as it is not a
domain account, it is a builtin account. When adding to the DACL of a
folder, even on a domain controller, if you want to use the NETWORK
SERVICE account, simply type NETWORK SERVICE into the appropriate text
box. When you click Check Names you'll see that it will resolve
correctly.

>
> Maybe should I create this user for the whole Domain?

No, this won't do any good.

>
>
>
> Another related question:
>
> I have another windows 2003 based server named MYSERVERXXX (for instance),
> who is part of the domain, but is not a domain controller.
>
> When modifying a folder's security configuration on another domain member
> server, I can't find the IUSR_MYSERVERXXX user.

That's because this account is a local account. It only scopes to the
computer that IIS is installed on and can't be used anywhere else but on
that server.

>
> Do I need to promote MYSERVERXXX to a domain controller in order to get this
> user on a other domain member server?

I think that maybe you've got a basic lack of understanding of how
permissions work in a Windows Server environment. It might help if you
describe what exactly you're trying to accomplish here. Whatever that
maybe, you're obviously not approaching it in the right way.


--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea


Posted by Math on October 17, 2005, 1:25 pm
Please log in for more thread options
>I think that maybe you've got a basic lack of understanding of how
> permissions work in a Windows Server environment.
Yes, that is why I'm asking before acting and messing up

>simply type NETWORK SERVICE into the appropriate text
> box. When you click Check Names you'll see that it will resolve
> correctly.
I did try to do this, but didn't succeed: windows didn't find the user...
(i'm sure of the name syntax)
Notice that the only place available to search in is the domain.

>It might help if you
> describe what exactly you're trying to accomplish here
I'd like to permit an iis application on SERVERXX1 to access with write
permission a folder on SERVERXX2.
Considering that the user running my iis application is IUSR_SERVERXX1, i'd
like to permit this specific user to access the folder on SERVERXX2

Mathieu

MPG.1dbd4759a42255fd989ec3@msnews.microsoft.com...
> microsoft.public.windows.server.security news group, Math
>
>> Thank you Steve for your explanation.
>>
>>
>>
>> However, on some folders the server's "NT AUTHORITY\NETWORK SERVICE" user
>> (for instance) is still present in the security tab, but not listed in
>> the
>> domain available users when searching the available users. Is it a
>> special
>> kind of users? If yes, how can I set this user in a folder security
>> configuration on the same server?
>
> You won't find this account when searching the domain as it is not a
> domain account, it is a builtin account. When adding to the DACL of a
> folder, even on a domain controller, if you want to use the NETWORK
> SERVICE account, simply type NETWORK SERVICE into the appropriate text
> box. When you click Check Names you'll see that it will resolve
> correctly.
>
>>
>> Maybe should I create this user for the whole Domain?
>
> No, this won't do any good.
>
>>
>>
>>
>> Another related question:
>>
>> I have another windows 2003 based server named MYSERVERXXX (for
>> instance),
>> who is part of the domain, but is not a domain controller.
>>
>> When modifying a folder's security configuration on another domain member
>> server, I can't find the IUSR_MYSERVERXXX user.
>
> That's because this account is a local account. It only scopes to the
> computer that IIS is installed on and can't be used anywhere else but on
> that server.
>
>>
>> Do I need to promote MYSERVERXXX to a domain controller in order to get
>> this
>> user on a other domain member server?
>
> I think that maybe you've got a basic lack of understanding of how
> permissions work in a Windows Server environment. It might help if you
> describe what exactly you're trying to accomplish here. Whatever that
> maybe, you're obviously not approaching it in the right way.
>
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea




Similar ThreadsPosted
Local Accounts vs Domain Accounts April 14, 2006, 3:48 pm
Lost local admin password October 4, 2005, 8:17 pm
Windows 2000 local accounts November 15, 2005, 11:29 am
copying local user accounts from one win2k server to another November 4, 2005, 8:38 am
Domain authenticating non-domain accounts February 22, 2008, 9:14 am
Domain user accounts migration August 1, 2005, 1:16 pm
Disabled Domain Computer Accounts September 20, 2006, 4:09 pm
IEEE 802.1x authentication for domain user accounts only May 21, 2007, 2:30 pm
Granting domain accounts access to a workgroup resource September 8, 2006, 12:13 am
Adding another domain users to your local domain admin group December 28, 2005, 12:19 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap