When you run the Gpresult.exe tool on a Windows Server 2003-based domain controller, incorrect computer account group memberships may be displayed

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
When you run the Gpresult.exe command-line tool on a Microsoft Windows Server 2003-based domain controller, the following computer account group memberships may be unexpectedly displayed:
Administrators
Everybody
Authenticated Users
Additionally, when you run the Gpresult.exe tool on a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller in a particular situation, the following incorrect computer account group memberships may be displayed:
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
ComputerName$
Domain Computers
Note In these results, the domain controller is listed as a member of the Domain Computers security group instead of as a member of the Domain Controllers security group.

You will experience this issue on a Windows Server 2003 SP1-based domain controller when you run the Gpresult.exe tool in the following way:
  1. You already have one domain controller that is configured by using DNS.
  2. You add one Windows Server 2003 SP1-based member server to this domain.
  3. You create a new organizational unit (OU) on the domain controller that is mentioned in step 1 and then move the security group "domain controllers" inside the new OU.
  4. Make the Windows Server 2003 SP1-based member server that is mentioned in step 2 a domain controller that is joined to the domain that is mentioned in step 1.
  5. Run the Gpresult.exe tool at a command prompt on the domain controller that is mentioned in step 4 .
By default, when you run the Gpresult.exe tool on a Windows Server 2003-based domain controller, the following computer account group memberships are listed:
BUILTIN\Administrators
Everyone
BUILTIN\ Pre-Windows 2000 Compatible Access
BUILTIN\UsersWindows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
ComputerName$
Domain Controllers
CAUSE
This issue may occur because of a race condition in the Net Logon service start time.
RESOLUTION
To resolve this issue immediately, follow these steps:
  1. Disconnect the network connection, and then restart the domain controller.
  2. After the domain controller has started, reestablish the network connection, and then restart the domain controller again.
  3. Use the Gpresult.exe tool to verify that the computer account group memberships are correct.
To resolve this issue for future domain controller promotions on a Windows Server 2003-based computer without a service pack, join the server to a domain before you install the Active Directory directory service on the server.

Note To install Active Directory on a server, run the Active Directory Install Wizard (Dcpromo.exe) at a command prompt.
MORE INFORMATION
For more information about the Gpresult.exe tool, type gpresult /? at the command prompt, and then press ENTER.
Properties

Article ID: 889501 - Last Review: 01/16/2015 01:37:58 - Revision: 2.3

  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • kbnosurvey kbarchive kbwinservnetwork kbnetwork kbtshoot kbprb KB889501
Feedback