Re: Domain Admin groups - users disappear/reappear ???

Hello JayDee,

There is no automatic adding from users to security groups. Never heard
about. If you would talk abut removed permissions for user that are added
to some builtin groups i would say it belongs to the AdminSDHolder process
running each hour.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok, this is a very interesting observation I have made as a result of
> a simple script I wrote. The objective was to send an email when a
> user is added to or removed from an admin group in the domain (Domain
> Admins, Account Ops, Server Ops, etc...). The way the script works is
> to check the membership of the groups every 15 minutes and export the
> members to a text file (using DSQUERY/DSGET for group membership).
> Each time the script runs, it does a file compare (FC) between the
> current and last file for that group to see if changes were made.
>
> Here's the weird part: Although the script runs every two hours, this
> occurs at different seemingly random intervals. I will receive emails
> stating some users were removed, then were added to a number of admin
> groups at the same time! Does AD remove and readd groups to domain
> admin groups occasionally during some kind of background maintenance?
> Since the script and methodology are relatively simple and more
> importantly the problem occurs at random intervals, not all intervals,
> I don't think it has anything to do with the script itself. Oh, and
> this happens regardless of whether or not any changes were actually
> made to the groups.
>
> Any takers?? I'm ready to be impressed.
>
> - JayDee
>

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello JayDee,
>
> There is no automatic adding from users to security groups. Never heard
> about. If you would talk abut removed permissions for user that are added
> to some builtin groups i would say it belongs to the AdminSDHolder process
> running each hour.
>
> Best regards
>
> Meinolf Weber

Hi Meinolf,

I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
for the explanation.

Otherwise, and just to make sure, I would enable auditing on all DCs to see
if it's someone physically changing the memberships.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Howdie!

Ace Fekay [MCT] wrote:
> I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
> for the explanation.

Thinking about this... from the poster's message, I read that he's
getting the domain's default groups (DA, EA, SO, ...) reseted which is
not what AdminSDHolder does - at least that's my understanding of the
message and AdminSDHolder. Hmm... let's see what he responds.

Florian

"Florian Frommherz [MVP]" <> wrote in message
news:...
> Howdie!
>
> Ace Fekay [MCT] wrote:
>> I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
>> for the explanation.
>
> Thinking about this... from the poster's message, I read that he's getting
> the domain's default groups (DA, EA, SO, ...) reseted which is not what
> AdminSDHolder does - at least that's my understanding of the message and
> AdminSDHolder. Hmm... let's see what he responds.
>
> Florian


Hmm, now you got me thinking! Yes, I agree, let's see what he responds with.

Ace

> On Nov 17, 1:19*pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
> wrote:
>> "Florian Frommherz [MVP]" <flor...@frickelsoft.net> wrote in
>> messagenews:. ..
>>
>>> Howdie!
>>
>>> Ace Fekay [MCT] wrote:
>>>> I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
>>>> for the explanation.
>>
>>> Thinking about this... from the poster's message, I read that he's getting
>>> the domain's default groups (DA, EA, SO, ...) reseted which is not what
>>> AdminSDHolder does - at least that's my understanding of the message and
>>> AdminSDHolder. Hmm... let's see what he responds.
>>> Florian
>>
>> Hmm, now you got me thinking! Yes, I agree, let's see what he responds with.
>>
>> Ace
>
> hi guys... thanks for all the replies. I've skimmed through the
> article. Right away, this problem does not happen every hour (when the
> AdminSDHolder process runs) and often happens when no changes are
> being made, not only when i receive and email stating someone was
> added or removed. OH! and when it happens, it happens to all of the
> BUILT-IN admin groups simultaneously (domain admins, admins, account
> operators) - not other groups. My feeling isAdminSDHolder
> functionality is not causing the problem. But I definitely welcome
> more opinions!!
>
> thanks again
>
> - jaydee

Jaydee,

Have you looked at the actual script output and physically compared
what was added or removed?

As Florian sugggested, have you enabled auditing for directory services
changes? This was you can compare the report your script is providing
with any actual changes that auditing provides.

It may be something with how the script is pulling the data from AD.
I'm not an expert on scripting, however, if you can post the script,
one of the folks who are knowledgeable with scripting may be better
able to help.

My feeling is possibly to use auditing and create a script to read the
audit logs to determine when changes are made.

Ace