Why is my global security group being filtered out of my logon token?
Posted
by
Jay Michaud
on Server Fault
See other posts from Server Fault
or by Jay Michaud
Published on 2009-06-25T19:18:40Z
Indexed on
2012/06/20
21:18 UTC
Read the original article
Hit count: 213
windows-server-2008
|uac
While investigating the effects of filtered tokens on my file permissions, I noticed that one of my global security groups is being filtered in addition to the regular system-defined filtered groups.
My Active Directory environment is a single-domain forest on the Windows Server 2003 functional level. I'll call the domain "mydomain.example.com". I am logged onto a Windows Server 2008 Enterprise Edition machine (not a domain controller) as a member of the "MYDOMAIN\Domain Admins" group and the "MYDOMAIN\MySecurityGroup" global security group (among others). When I run "whoami /groups" from an elevated command prompt, I see the full list of groups to which my account belongs as expected. When I run "whoami /groups" from a regular, non-elevated command prompt, I see the same list of groups, but the following groups are described as "Group used for deny only".
- BUILTIN\Administrators
- MYDOMAIN\Schema Admins
- MYDOMAIN\Offer Remote Assistance Helpers
- MYDOMAIN\MySecurityGroup
Numbers 1 through 3 above are expected based on Microsoft documentation; number 4 is not. The "MYDOMAIN\MySecurityGroup" global security group is a group that I created. It contains three non-built-in global security groups, and these security groups contain only non-built-in user accounts. (That is, I created all of the accounts and groups that are members of the "MYDOMAIN\MySecurityGroup" global security group.) There are other, similar groups of which my account is a member that are not being filtered out of my logon token, and this group is not granted any specific user rights in the security settings of this computer or in Group Policy.
What would cause this one group to be filtered out of my logon token?
© Server Fault or respective owner