Re: Domain Admin groups - users disappear/reappear ???

I think Meinolf already touched on it but I would suspect ADMINSDHolder
could be the culprit, but all that does is modify the acl's.

http://technet.microsoft.com/en-us/m...minholder.aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"JayDee" <> wrote in message
news:b4a32258-4bea-47fe-8d98-...
> Ok, this is a very interesting observation I have made as a result of
> a simple script I wrote. The objective was to send an email when a
> user is added to or removed from an admin group in the domain (Domain
> Admins, Account Ops, Server Ops, etc...). The way the script works is
> to check the membership of the groups every 15 minutes and export the
> members to a text file (using DSQUERY/DSGET for group membership).
> Each time the script runs, it does a file compare (FC) between the
> current and last file for that group to see if changes were made.
>
> Here's the weird part: Although the script runs every two hours, this
> occurs at different seemingly random intervals. I will receive emails
> stating some users were removed, then were added to a number of admin
> groups at the same time! Does AD remove and readd groups to domain
> admin groups occasionally during some kind of background maintenance?
> Since the script and methodology are relatively simple and more
> importantly the problem occurs at random intervals, not all intervals,
> I don't think it has anything to do with the script itself. Oh, and
> this happens regardless of whether or not any changes were actually
> made to the groups.
>
> Any takers?? I'm ready to be impressed.
>
> - JayDee