Thursday, October 25, 2012

Modifying Built-in AD Objects

While working on cross-forest cert enrollment, I noticed I couldn't add an cross-forest object to an AD built-in group object, e.g. "Cert Publishers" group. The built-in group is of "Global Security" scope that is unable to add objects outside a forest. Rightfully, it should be of "Domain Local" type, so that cross-forest objects can be added. If it's not a built-in object, we can simply change it to "Universal" and then "Domain Local" using "AD users and computers" console. 

Nevertheless, we can use the SYSTEM account to modify the built-in group scope.
  1. Download pstools from link:
  2. Extract it and get psexec.exe and copy it to a Domain Controller (DC).
  3. Open new command and run the command psexec.exe -s “cmd”, click Accept/Yes.
  4. We will get a new command that run under System account.
  5. Under new command prompt, please run the command below:
                dsmod group “CN=Cert Publishers,CN=Users,DC=contoso,DC=com” -scope U
                dsmod group “CN=Cert Publishers,CN=Users,DC=contoso,DC=com” -scope L

This would convert built-in group scope to Domain Local.

Note: If the AD was first created on Windows Server 2000, the group scope type was created "Global Security" and would remain as it was, even when there was AD prep and upgrade subsequently.

1 comment:

  1. Thanks.

    I had one issue running on server 2012, The psexec step to run as system was not needed and would throw

    "Target object for this command has incorrect format" error."

    Hopefully helps someone else.