Authenticated Users builtin group in AD deleted
You can't delete the 'NT Authority\Authenticated Users' (SID S-1-5-11) group.
You also cannot view this group in AD Users and Computers, which would explain why you can't see it using that tool.
It's not a "real" security group the way that "DOMAIN\Domain Admins" is, for instance. The membership of "Authenticated Users" is dynamically generated and represents everyone who has authenticated to do the domain.
Edit: Actually you can view it as a Foreign Security Principal in the ForeignSecurityPricipals container. It was wrong of me to bluntly state that you just can't see it in ADUC. But keep in mind that this FSP is not the actual object itself. You can even delete that FSP too... I just did so in my lab to see what would happen. But deleting a FSP is not the same as deleting the object it represents. You can still resolve the SID to name, you still get NT AUTHORITY\Authenticated Users in your token when you log on to a server (whoami /groups
,) and you can still assign the Authenticated Users group to ACLs. All computers understand that well-known SID. Nothing seems to be breaking in my test domain...
I was able to recreate the Foreign Security Principal by adding it to a group. (I added it to the "Users" group for instance.) The act of referencing it caused the Directory Services Engine to automatically recreate the FSP in the ForeignSecurityPrincipals container where it belongs.
I realize that this probably no longer has anything to do with your actual problem - I'm off in the weeds now - but I thought this was neat. Here is me in my domain in which I have deleted the "Authenticated Users" foreign security principal, and rebooted both my DCs. I am still able to translate the SID S-1-5-11 even though the FSP is long gone:
(Then I recreated the FSP by adding it to a group as mentioned above.)
Toren
Updated on September 18, 2022Comments
-
Toren over 1 year
I try to copy a file from running docker container to google bucket
the
Cloud Resource API
is enabled in my GCP projectThe command I try to execute from the local docker located on my laptop:
gsutil cp README gs://<my_bucket>/<folder>/
the error I get looks like following
Copying file://README [Content-Type=application/octet-stream]... Your "GCE" credentials are invalid. Please run $ gcloud auth login apitools.base.py.exceptions.ResourceUnavailableError: GCE credentials requested outside a GCE instance
My
Dockerfile
configurationFROM python:3.6.11 WORKDIR /root # Installs google cloud sdk, this is mostly for using gsutil to export model. RUN wget -nv \ https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz && \ mkdir /root/tools && \ tar xvzf google-cloud-sdk.tar.gz -C /root/tools && \ rm google-cloud-sdk.tar.gz && \ /root/tools/google-cloud-sdk/install.sh --usage-reporting=false \ --path-update=false --bash-completion=false \ --disable-installation-options && \ rm -rf /root/.config/* && \ ln -s /root/.config /config && \ # Remove the backup directory that gcloud creates rm -rf /root/tools/google-cloud-sdk/.install/.backup # Path configuration ENV PATH $PATH:/root/tools/google-cloud-sdk/bin # Make sure gsutil will use the default service account RUN echo '[GoogleCompute]\nservice_account = default' > /etc/boto.cfg COPY config/goog.json /usr/src/config/key_file.json # setup GCP credentials ENV GOOGLE_APPLICATION_CREDENTIALS=/usr/src/config/key_file.json RUN gcloud auth activate-service-account --key-file=/usr/src/config/key_file.json && \ gcloud --quiet config set compute/zone us-central1-a && \ gcloud --quiet config set project <my_project_name>
Any configuration is missing ?
-
Rob Moir over 9 yearsIs the AD restore bin an option?
-
David Corsalini over 9 yearsThe change is over 180 days old
-
guillaume blaquiere almost 4 yearsDid you try to comment the boto line? You maybe create confusion with this.
-
Jose V almost 4 yearsWere you able to try if removing the boto line solves the issue?
-
Toren almost 4 years@guillaumeblaquiere thanks ! worked
-
Toren almost 4 years@JoseV Thanks for remind me !
-
guillaume blaquiere almost 4 years@Toren. I just answered to help other to find the answer if they have similar issues.
-
-
David Corsalini over 9 yearsyou are correct, I've tried to assign a GPO to auth users and that worked. Could have sworn I've seen the group in ADUC before... I'll close this one off, formulate a better question. Thanks!
-
Ryan Ries over 9 years@jscott Edited my post for clarification... you rabble-rouser.
-
David Corsalini over 9 yearsThanks guys, the new guy who replaced the previous one (who will end up with all his limbs after all) raised an alarm, and it's my fault for not checking things thoroughly myself before coming here, guess I'm not that much of a MS tech connoisseur