Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD Computer Accounts being Deleted Randomly
AD Computer Accounts being Deleted Randomly [message #361335] Wed, 06 January 2010 16:28 Go to next message
Haynsey  is currently offline Haynsey  United States
Messages: 2
Registered: January 2010
Junior Member
G'day,

FYI - this thread was created because I used an older thread to reply
to. Meinolf Weber has already replied, see below at the end of my post.

Sorry for jumping into this thread with my own problem albeit very
similar to the OP's so I hope I can add something to it. If someone
has an issue I will create a new thread no worries.

We run a single 2003 native domain with 6 DC's. All clients are XP
SP2. I inherited this domain so I cannot speculate on how its initial
setup was done.

The issue we are experiencing is that random workstation accounts are
being deleted from AD and we don't know why. It occurs roughly once a
fortnight, it has not affected a server account yet and I believe it
is only occuring on computer accounts that are sitting inside one of
AD's OU's (We have multiple sites so depending on their site,
computers are organized into a particular OU) but I will need to
confirm this with my counterparts.

When the account is deleted, the workstation is not able to be used on

the domain. On logon, it says that the domian is unnavailable or the
account was deleted. Checking inside AD, you can verify the account no

longer exists.

I have enabled auditing on all 6 DC's. When the account is deleted, I
go through and check the last 24 hours but there is no mention of
event ID 647. I have also checked scheduled tasks that other admin's
may have enabled are there is nothing I found running against AD. I
would assume if a script was deleting these accounts, event ID 647
would pop up.

Google is not being cooperative either.

I will be running dcdiag on all DC's throughout the day user requests
permitting.

Is there another way I can find out how these accounts are being
deleted?
Is there something I'm missing?
Any thoughts?

Any help would be greatly appreciated.

Matt




*** - Begin Reply from Meinolf Weber - ***

Hello Haynsey,

As this posting is already from 08/2009 it is always better to create a
new one. Anyway, as stated in the beginning for the OP, a computer
account will NOT be deleted automatically, except some scripts are
trigger this.

What auditing settings in detail have you set on the domain controllers
OU?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm




*** - End Reply - ***


--
Haynsey
------------------------------------------------------------ ------------
Haynsey's Profile: http://forums.techarena.in/members/171451.htm
View this thread: http://forums.techarena.in/active-directory/1290427.htm

http://forums.techarena.in
Re: AD Computer Accounts being Deleted Randomly [message #361394 is a reply to message #361335] Wed, 06 January 2010 19:05 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Haynsey" <Haynsey.44e7ba@DoNotSpam.com> wrote in message
news:Haynsey.44e7ba@DoNotSpam.com...
>
> G'day,
>
> FYI - this thread was created because I used an older thread to reply
> to. Meinolf Weber has already replied, see below at the end of my post.
>
> Sorry for jumping into this thread with my own problem albeit very
> similar to the OP's so I hope I can add something to it. If someone
> has an issue I will create a new thread no worries.
>
> We run a single 2003 native domain with 6 DC's. All clients are XP
> SP2. I inherited this domain so I cannot speculate on how its initial
> setup was done.
>
> The issue we are experiencing is that random workstation accounts are
> being deleted from AD and we don't know why. It occurs roughly once a
> fortnight, it has not affected a server account yet and I believe it
> is only occuring on computer accounts that are sitting inside one of
> AD's OU's (We have multiple sites so depending on their site,
> computers are organized into a particular OU) but I will need to
> confirm this with my counterparts.
>
> When the account is deleted, the workstation is not able to be used on
>
> the domain. On logon, it says that the domian is unnavailable or the
> account was deleted. Checking inside AD, you can verify the account no
>
> longer exists.
>
> I have enabled auditing on all 6 DC's. When the account is deleted, I
> go through and check the last 24 hours but there is no mention of
> event ID 647. I have also checked scheduled tasks that other admin's
> may have enabled are there is nothing I found running against AD. I
> would assume if a script was deleting these accounts, event ID 647
> would pop up.
>
> Google is not being cooperative either.
>
> I will be running dcdiag on all DC's throughout the day user requests
> permitting.
>
> Is there another way I can find out how these accounts are being
> deleted?
> Is there something I'm missing?
> Any thoughts?
>
> Any help would be greatly appreciated.
>
> Matt
>
>
>
>
> *** - Begin Reply from Meinolf Weber - ***
>
> Hello Haynsey,
>
> As this posting is already from 08/2009 it is always better to create a
> new one. Anyway, as stated in the beginning for the OP, a computer
> account will NOT be deleted automatically, except some scripts are
> trigger this.
>
> What auditing settings in detail have you set on the domain controllers
> OU?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
>
> *** - End Reply - ***
>
>
> --
> Haynsey

I'm not sure which thread to reply to. Since this is the fresh one, I would
think to reply to this.

First, let's see an ipconfig of a sample DC and a sample workstation or one
that this has occured on.

Also, Event logs - any errors, please post the EventID# and source names on
the DCs and/or workstations.

Any restrictions configured in a GPO on that OU?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Re: AD Computer Accounts being Deleted Randomly [message #361745 is a reply to message #361335] Thu, 07 January 2010 06:31 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Look for any scheduled tasks that might be using oldcmp. This is a utility
that cleans up machine accounts. Maybe someone has a task that is being run
improperly, although it should log account deletions if you have it set up
properly. Have you properly configured auditing? Jorge has an excellent
article on configuring object auditing on AD. I would read this entire
article and verify that you have things configured properly. This link
states 2008, but it should be good for 2000 and 2003.
http://blogs.dirteam.com/blogs/jorge/archive/2008/04/29/audi ting-in-windows-server-2008.aspx

Oldcmp is a freeware utility written by Joe Richards at joeware.net

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Haynsey" <Haynsey.44e7ba@DoNotSpam.com> wrote in message
news:Haynsey.44e7ba@DoNotSpam.com...
>
> G'day,
>
> FYI - this thread was created because I used an older thread to reply
> to. Meinolf Weber has already replied, see below at the end of my post.
>
> Sorry for jumping into this thread with my own problem albeit very
> similar to the OP's so I hope I can add something to it. If someone
> has an issue I will create a new thread no worries.
>
> We run a single 2003 native domain with 6 DC's. All clients are XP
> SP2. I inherited this domain so I cannot speculate on how its initial
> setup was done.
>
> The issue we are experiencing is that random workstation accounts are
> being deleted from AD and we don't know why. It occurs roughly once a
> fortnight, it has not affected a server account yet and I believe it
> is only occuring on computer accounts that are sitting inside one of
> AD's OU's (We have multiple sites so depending on their site,
> computers are organized into a particular OU) but I will need to
> confirm this with my counterparts.
>
> When the account is deleted, the workstation is not able to be used on
>
> the domain. On logon, it says that the domian is unnavailable or the
> account was deleted. Checking inside AD, you can verify the account no
>
> longer exists.
>
> I have enabled auditing on all 6 DC's. When the account is deleted, I
> go through and check the last 24 hours but there is no mention of
> event ID 647. I have also checked scheduled tasks that other admin's
> may have enabled are there is nothing I found running against AD. I
> would assume if a script was deleting these accounts, event ID 647
> would pop up.
>
> Google is not being cooperative either.
>
> I will be running dcdiag on all DC's throughout the day user requests
> permitting.
>
> Is there another way I can find out how these accounts are being
> deleted?
> Is there something I'm missing?
> Any thoughts?
>
> Any help would be greatly appreciated.
>
> Matt
>
>
>
>
> *** - Begin Reply from Meinolf Weber - ***
>
> Hello Haynsey,
>
> As this posting is already from 08/2009 it is always better to create a
> new one. Anyway, as stated in the beginning for the OP, a computer
> account will NOT be deleted automatically, except some scripts are
> trigger this.
>
> What auditing settings in detail have you set on the domain controllers
> OU?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
>
> *** - End Reply - ***
>
>
> --
> Haynsey
> ------------------------------------------------------------ ------------
> Haynsey's Profile: http://forums.techarena.in/members/171451.htm
> View this thread: http://forums.techarena.in/active-directory/1290427.htm
>
> http://forums.techarena.in
>
Re: AD Computer Accounts being Deleted Randomly [message #365388 is a reply to message #361335] Mon, 11 January 2010 14:33 Go to previous message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
Here's another possible cause... replication problems...
Can you post the result for
repadmin /replsummary /bysrc /bydest /sort:delta
--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Haynsey" <Haynsey.44e7ba@DoNotSpam.com> wrote in message
news:Haynsey.44e7ba@DoNotSpam.com...
>
> G'day,
>
> FYI - this thread was created because I used an older thread to reply
> to. Meinolf Weber has already replied, see below at the end of my post.
>
> Sorry for jumping into this thread with my own problem albeit very
> similar to the OP's so I hope I can add something to it. If someone
> has an issue I will create a new thread no worries.
>
> We run a single 2003 native domain with 6 DC's. All clients are XP
> SP2. I inherited this domain so I cannot speculate on how its initial
> setup was done.
>
> The issue we are experiencing is that random workstation accounts are
> being deleted from AD and we don't know why. It occurs roughly once a
> fortnight, it has not affected a server account yet and I believe it
> is only occuring on computer accounts that are sitting inside one of
> AD's OU's (We have multiple sites so depending on their site,
> computers are organized into a particular OU) but I will need to
> confirm this with my counterparts.
>
> When the account is deleted, the workstation is not able to be used on
>
> the domain. On logon, it says that the domian is unnavailable or the
> account was deleted. Checking inside AD, you can verify the account no
>
> longer exists.
>
> I have enabled auditing on all 6 DC's. When the account is deleted, I
> go through and check the last 24 hours but there is no mention of
> event ID 647. I have also checked scheduled tasks that other admin's
> may have enabled are there is nothing I found running against AD. I
> would assume if a script was deleting these accounts, event ID 647
> would pop up.
>
> Google is not being cooperative either.
>
> I will be running dcdiag on all DC's throughout the day user requests
> permitting.
>
> Is there another way I can find out how these accounts are being
> deleted?
> Is there something I'm missing?
> Any thoughts?
>
> Any help would be greatly appreciated.
>
> Matt
>
>
>
>
> *** - Begin Reply from Meinolf Weber - ***
>
> Hello Haynsey,
>
> As this posting is already from 08/2009 it is always better to create a
> new one. Anyway, as stated in the beginning for the OP, a computer
> account will NOT be deleted automatically, except some scripts are
> trigger this.
>
> What auditing settings in detail have you set on the domain controllers
> OU?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
>
> *** - End Reply - ***
>
>
> --
> Haynsey
> ------------------------------------------------------------ ------------
> Haynsey's Profile: http://forums.techarena.in/members/171451.htm
> View this thread: http://forums.techarena.in/active-directory/1290427.htm
>
> http://forums.techarena.in
>
Previous Topic:Enterprise Subordinate Certificate Authority Validity Period
Next Topic:DC eventlog details
Goto Forum:
  


Current Time: Wed Jan 17 05:49:03 MST 2018

Total time taken to generate the page: 0.02313 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software