Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Domain Admin groups - users disappear/reappear ???
Domain Admin groups - users disappear/reappear ??? [message #319679] Tue, 17 November 2009 01:51 Go to next message
JayDee  is currently offline JayDee  United States
Messages: 14
Registered: October 2009
Junior Member
Ok, this is a very interesting observation I have made as a result of
a simple script I wrote. The objective was to send an email when a
user is added to or removed from an admin group in the domain (Domain
Admins, Account Ops, Server Ops, etc...). The way the script works is
to check the membership of the groups every 15 minutes and export the
members to a text file (using DSQUERY/DSGET for group membership).
Each time the script runs, it does a file compare (FC) between the
current and last file for that group to see if changes were made.

Here's the weird part: Although the script runs every two hours, this
occurs at different seemingly random intervals. I will receive emails
stating some users were removed, then were added to a number of admin
groups at the same time! Does AD remove and readd groups to domain
admin groups occasionally during some kind of background maintenance?
Since the script and methodology are relatively simple and more
importantly the problem occurs at random intervals, not all intervals,
I don't think it has anything to do with the script itself. Oh, and
this happens regardless of whether or not any changes were actually
made to the groups.

Any takers?? I'm ready to be impressed. :)

- JayDee
Re: Domain Admin groups - users disappear/reappear ??? [message #319698 is a reply to message #319679] Tue, 17 November 2009 02:47 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

JayDee wrote:
> Here's the weird part: Although the script runs every two hours, this
> occurs at different seemingly random intervals. I will receive emails
> stating some users were removed, then were added to a number of admin
> groups at the same time! Does AD remove and readd groups to domain
> admin groups occasionally during some kind of background maintenance?
> Since the script and methodology are relatively simple and more
> importantly the problem occurs at random intervals, not all intervals,
> I don't think it has anything to do with the script itself. Oh, and
> this happens regardless of whether or not any changes were actually
> made to the groups.

Hmm - there's no mechanism I'd know of. Maybe Restricted Groups in a
Group Policy linked to the Domain Controllers OU to protect admin
groups. I'd check on that.

Other than that, I'd enable auditing to see whether there actually are
changes at the directory.

You're sure the script is running correct, right? ;)

Florian
Re: Domain Admin groups - users disappear/reappear ??? [message #319699 is a reply to message #319679] Tue, 17 November 2009 02:47 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello JayDee,

There is no automatic adding from users to security groups. Never heard
about. If you would talk abut removed permissions for user that are added
to some builtin groups i would say it belongs to the AdminSDHolder process
running each hour.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok, this is a very interesting observation I have made as a result of
> a simple script I wrote. The objective was to send an email when a
> user is added to or removed from an admin group in the domain (Domain
> Admins, Account Ops, Server Ops, etc...). The way the script works is
> to check the membership of the groups every 15 minutes and export the
> members to a text file (using DSQUERY/DSGET for group membership).
> Each time the script runs, it does a file compare (FC) between the
> current and last file for that group to see if changes were made.
>
> Here's the weird part: Although the script runs every two hours, this
> occurs at different seemingly random intervals. I will receive emails
> stating some users were removed, then were added to a number of admin
> groups at the same time! Does AD remove and readd groups to domain
> admin groups occasionally during some kind of background maintenance?
> Since the script and methodology are relatively simple and more
> importantly the problem occurs at random intervals, not all intervals,
> I don't think it has anything to do with the script itself. Oh, and
> this happens regardless of whether or not any changes were actually
> made to the groups.
>
> Any takers?? I'm ready to be impressed. :)
>
> - JayDee
>
Re: Domain Admin groups - users disappear/reappear ??? [message #319829 is a reply to message #319679] Tue, 17 November 2009 06:18 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I think Meinolf already touched on it but I would suspect ADMINSDHolder
could be the culprit, but all that does is modify the acl's.

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminh older.aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"JayDee" <dopamine@mail.com> wrote in message
news:b4a32258-4bea-47fe-8d98-e1249a8d46a6@s21g2000prm.googlegroups.com...
> Ok, this is a very interesting observation I have made as a result of
> a simple script I wrote. The objective was to send an email when a
> user is added to or removed from an admin group in the domain (Domain
> Admins, Account Ops, Server Ops, etc...). The way the script works is
> to check the membership of the groups every 15 minutes and export the
> members to a text file (using DSQUERY/DSGET for group membership).
> Each time the script runs, it does a file compare (FC) between the
> current and last file for that group to see if changes were made.
>
> Here's the weird part: Although the script runs every two hours, this
> occurs at different seemingly random intervals. I will receive emails
> stating some users were removed, then were added to a number of admin
> groups at the same time! Does AD remove and readd groups to domain
> admin groups occasionally during some kind of background maintenance?
> Since the script and methodology are relatively simple and more
> importantly the problem occurs at random intervals, not all intervals,
> I don't think it has anything to do with the script itself. Oh, and
> this happens regardless of whether or not any changes were actually
> made to the groups.
>
> Any takers?? I'm ready to be impressed. :)
>
> - JayDee
Re: Domain Admin groups - users disappear/reappear ??? [message #319887 is a reply to message #319699] Tue, 17 November 2009 07:30 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d9ae78cc358a6d6e9a82@msnews.microsoft.com...
> Hello JayDee,
>
> There is no automatic adding from users to security groups. Never heard
> about. If you would talk abut removed permissions for user that are added
> to some builtin groups i would say it belongs to the AdminSDHolder process
> running each hour.
>
> Best regards
>
> Meinolf Weber

Hi Meinolf,

I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
for the explanation.

Otherwise, and just to make sure, I would enable auditing on all DCs to see
if it's someone physically changing the memberships.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Domain Admin groups - users disappear/reappear ??? [message #319899 is a reply to message #319887] Tue, 17 November 2009 07:48 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Ace Fekay [MCT] wrote:
> I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
> for the explanation.

Thinking about this... from the poster's message, I read that he's
getting the domain's default groups (DA, EA, SO, ...) reseted which is
not what AdminSDHolder does - at least that's my understanding of the
message and AdminSDHolder. Hmm... let's see what he responds.

Florian
Re: Domain Admin groups - users disappear/reappear ??? [message #320359 is a reply to message #319899] Tue, 17 November 2009 14:19 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
news:uDfQBU5ZKHA.4688@TK2MSFTNGP06.phx.gbl...
> Howdie!
>
> Ace Fekay [MCT] wrote:
>> I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
>> for the explanation.
>
> Thinking about this... from the poster's message, I read that he's getting
> the domain's default groups (DA, EA, SO, ...) reseted which is not what
> AdminSDHolder does - at least that's my understanding of the message and
> AdminSDHolder. Hmm... let's see what he responds.
>
> Florian


Hmm, now you got me thinking! Yes, I agree, let's see what he responds with.

Ace
Re: Domain Admin groups - users disappear/reappear ??? [message #322846 is a reply to message #320359] Thu, 19 November 2009 17:56 Go to previous messageGo to next message
anomlee  is currently offline anomlee  United States
Messages: 10
Registered: November 2009
Junior Member
On Nov 17, 1:19 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
wrote:
> "Florian Frommherz [MVP]" <flor...@frickelsoft.net> wrote in messagenews:uDfQBU5ZKHA.4688@TK2MSFTNGP06.phx.gbl...
>
> > Howdie!
>
> > Ace Fekay [MCT] wrote:
> >> I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
> >> for the explanation.
>
> > Thinking about this... from the poster's message, I read that he's getting
> > the domain's default groups (DA, EA, SO, ...) reseted which is not what
> > AdminSDHolder does - at least that's my understanding of the message and
> > AdminSDHolder. Hmm... let's see what he responds.
>
> > Florian
>
> Hmm, now you got me thinking! Yes, I agree, let's see what he responds with.
>
> Ace

hi guys... thanks for all the replies. I've skimmed through the
article. Right away, this problem does not happen every hour (when the
AdminSDHolder process runs) and often happens when no changes are
being made, not only when i receive and email stating someone was
added or removed. OH! and when it happens, it happens to all of the
BUILT-IN admin groups simultaneously (domain admins, admins, account
operators) - not other groups. My feeling isAdminSDHolder
functionality is not causing the problem. But I definitely welcome
more opinions!!

thanks again

- jaydee
Re: Domain Admin groups - users disappear/reappear ??? [message #322871 is a reply to message #322846] Thu, 19 November 2009 18:58 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
> On Nov 17, 1:19 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
> wrote:
>> "Florian Frommherz [MVP]" <flor...@frickelsoft.net> wrote in
>> messagenews:uDfQBU5ZKHA.4688@TK2MSFTNGP06.phx.gbl...
>>
>>> Howdie!
>>
>>> Ace Fekay [MCT] wrote:
>>>> I'm leaning towards the AdminSDHolder causing it, too. Paul posted a link
>>>> for the explanation.
>>
>>> Thinking about this... from the poster's message, I read that he's getting
>>> the domain's default groups (DA, EA, SO, ...) reseted which is not what
>>> AdminSDHolder does - at least that's my understanding of the message and
>>> AdminSDHolder. Hmm... let's see what he responds.
>>> Florian
>>
>> Hmm, now you got me thinking! Yes, I agree, let's see what he responds with.
>>
>> Ace
>
> hi guys... thanks for all the replies. I've skimmed through the
> article. Right away, this problem does not happen every hour (when the
> AdminSDHolder process runs) and often happens when no changes are
> being made, not only when i receive and email stating someone was
> added or removed. OH! and when it happens, it happens to all of the
> BUILT-IN admin groups simultaneously (domain admins, admins, account
> operators) - not other groups. My feeling isAdminSDHolder
> functionality is not causing the problem. But I definitely welcome
> more opinions!!
>
> thanks again
>
> - jaydee

Jaydee,

Have you looked at the actual script output and physically compared
what was added or removed?

As Florian sugggested, have you enabled auditing for directory services
changes? This was you can compare the report your script is providing
with any actual changes that auditing provides.

It may be something with how the script is pulling the data from AD.
I'm not an expert on scripting, however, if you can post the script,
one of the folks who are knowledgeable with scripting may be better
able to help.

My feeling is possibly to use auditing and create a script to read the
audit logs to determine when changes are made.

Ace
Re: Domain Admin groups - users disappear/reappear ??? [message #323003 is a reply to message #322846] Thu, 19 November 2009 23:16 Go to previous message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello anomlee,

As said when i mentioned the AdminSDHolder, it was just a small thought but
your symptoms are not really belonging to this. MAybe the script content
can help as mentioned and some more logging maybe also give some infos, as
already said from Florian.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On Nov 17, 1:19 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
> wrote:
>
>> "Florian Frommherz [MVP]" <flor...@frickelsoft.net> wrote in
>> messagenews:uDfQBU5ZKHA.4688@TK2MSFTNGP06.phx.gbl...
>>
>>> Howdie!
>>>
>>> Ace Fekay [MCT] wrote:
>>>
>>>> I'm leaning towards the AdminSDHolder causing it, too. Paul posted
>>>> a link for the explanation.
>>>>
>>> Thinking about this... from the poster's message, I read that he's
>>> getting the domain's default groups (DA, EA, SO, ...) reseted which
>>> is not what AdminSDHolder does - at least that's my understanding of
>>> the message and AdminSDHolder. Hmm... let's see what he responds.
>>>
>>> Florian
>>>
>> Hmm, now you got me thinking! Yes, I agree, let's see what he
>> responds with.
>>
>> Ace
>>
> hi guys... thanks for all the replies. I've skimmed through the
> article. Right away, this problem does not happen every hour (when the
> AdminSDHolder process runs) and often happens when no changes are
> being made, not only when i receive and email stating someone was
> added or removed. OH! and when it happens, it happens to all of the
> BUILT-IN admin groups simultaneously (domain admins, admins, account
> operators) - not other groups. My feeling isAdminSDHolder
> functionality is not causing the problem. But I definitely welcome
> more opinions!!
>
> thanks again
>
> - jaydee
>
Previous Topic:add rodc problem
Next Topic:DNS Alias
Goto Forum:
  


Current Time: Fri Jan 19 00:44:48 MST 2018

Total time taken to generate the page: 0.03243 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software