Ok, here's the situation.

We have two domain controllers. One of them (which we consider the primary
and was the first domain controller on our network) has all five FSMO roles.

The second was setup just to maintain a second copy AD database. We have a
relatively small network (about 100 users).

Lately, a Security Group permission that I add to a particular User keeps
getting removed. It's very perplexing. We shut down the second server
altogether, thinking that the replication was not occurring correctly, but
that has not fixed the problem.

So, with the second server down (meaning we have only one running Active
Directory domain controller right now), I changed the object by adding back
the permission and then checked the Update Sequence Number. It was set to
401290 and the Last Change was accurate (6:00pm.). I checked back in 1
hour, and the Update Sequence Number was now 401380 and the Last Update was
6:44pm. I re-added the permission back to the object, and checked the USN:
401505, Modified at 8:02pm. I will post back further if it gets overwritten
again (which it probably will.)

What could have updated this object, given that the only other Domain
Controller was not even turned on?

Thanks,

Dave Slinn

Hello David,

By "Security Group permission that I add to a particular User keeps
getting removed" do you mean delegate administrative permissions to a
security group to a particular user object or do you mean adding a user
to a group?

If it is the first one, my next question would be is your user a member
of a builtin administrative group?

If so, there is a process called the AdminSDHolder Thread that runs
every hour on the PDC Emulator FSMO role that compares the ACLs of
security principles that are members of administrative groups with the
ACL of the AdminSDHolder container located in the domain System
container. If there is a difference the ACL of the Security Principle is
reset to match that of the container. This is explained in the article
below.

http://support.microsoft.com/default...;en-us;Q232199

HTH

--
John Negus
MSEtechnology
--



"David Slinn" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Ok, here's the situation.
>
> We have two domain controllers. One of them (which we consider the
> primary
> and was the first domain controller on our network) has all five FSMO
> roles.
>
> The second was setup just to maintain a second copy AD database. We
> have a
> relatively small network (about 100 users).
>
> Lately, a Security Group permission that I add to a particular User
> keeps
> getting removed. It's very perplexing. We shut down the second
> server
> altogether, thinking that the replication was not occurring correctly,
> but
> that has not fixed the problem.
>
> So, with the second server down (meaning we have only one running
> Active
> Directory domain controller right now), I changed the object by adding
> back
> the permission and then checked the Update Sequence Number. It was
> set to
> 401290 and the Last Change was accurate (6:00pm.). I checked back in
> 1
> hour, and the Update Sequence Number was now 401380 and the Last
> Update was
> 6:44pm. I re-added the permission back to the object, and checked
> the USN:
> 401505, Modified at 8:02pm. I will post back further if it gets
> overwritten
> again (which it probably will.)
>
> What could have updated this object, given that the only other Domain
> Controller was not even turned on?
>
> Thanks,
>
> Dave Slinn
>
>

See my post in the win2000.active_directory news group.

--
John Negus
MSEtechnology
--



"David Slinn" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Ok, here's the situation.
>
> We have two domain controllers. One of them (which we consider the
> primary
> and was the first domain controller on our network) has all five FSMO
> roles.
>
> The second was setup just to maintain a second copy AD database. We
> have a
> relatively small network (about 100 users).
>
> Lately, a Security Group permission that I add to a particular User
> keeps
> getting removed. It's very perplexing. We shut down the second
> server
> altogether, thinking that the replication was not occurring correctly,
> but
> that has not fixed the problem.
>
> So, with the second server down (meaning we have only one running
> Active
> Directory domain controller right now), I changed the object by adding
> back
> the permission and then checked the Update Sequence Number. It was
> set to
> 401290 and the Last Change was accurate (6:00pm.). I checked back in
> 1
> hour, and the Update Sequence Number was now 401380 and the Last
> Update was
> 6:44pm. I re-added the permission back to the object, and checked
> the USN:
> 401505, Modified at 8:02pm. I will post back further if it gets
> overwritten
> again (which it probably will.)
>
> What could have updated this object, given that the only other Domain
> Controller was not even turned on?
>
> Thanks,
>
> Dave Slinn
>
>

On Mon, 22 Nov 2004 20:03:48 -0600, "David Slinn"
<(E-Mail Removed)> wrote:

>Ok, here's the situation.
>
>We have two domain controllers. One of them (which we consider the primary
>and was the first domain controller on our network) has all five FSMO roles.
>
>The second was setup just to maintain a second copy AD database. We have a
>relatively small network (about 100 users).
>
>Lately, a Security Group permission that I add to a particular User keeps
>getting removed. It's very perplexing. We shut down the second server
>altogether, thinking that the replication was not occurring correctly, but
>that has not fixed the problem.
>
>So, with the second server down (meaning we have only one running Active
>Directory domain controller right now), I changed the object by adding back
>the permission and then checked the Update Sequence Number. It was set to
>401290 and the Last Change was accurate (6:00pm.). I checked back in 1
>hour, and the Update Sequence Number was now 401380 and the Last Update was
>6:44pm. I re-added the permission back to the object, and checked the USN:
>401505, Modified at 8:02pm. I will post back further if it gets overwritten
>again (which it probably will.)
>
>What could have updated this object, given that the only other Domain
>Controller was not even turned on?
>
There's a GP that sets the membership of certain security groups. You
can add other users to the group but each the policy is applied the
membership will revert. Sounds like your problem.

http://support.microsoft.com/default...b;en-us;279301

Cheers,

Cliff
--

These twin-CPU hyperthreading computers are really
great! We can wait ten to a hundred times faster
these days.

John - thanks for the reply - you have helped solve my problem.

I found the ActiveSDHolder object and sure enough - the ACL that it had was
exactly what the other user object ACL was getting reset to. I checked the
groups that this user belonged to, and then checked which groups those
groups belonged to, etc. etc. and found one that was a "more" priviledged
one. I removed that group from the user object in question, and the ACL on
that object nows retains my changes.

Whew - there's just too much to know with regards to Active Directory...

"John Negus" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello David,
>
> By "Security Group permission that I add to a particular User keeps
> getting removed" do you mean delegate administrative permissions to a
> security group to a particular user object or do you mean adding a user
> to a group?
>
> If it is the first one, my next question would be is your user a member
> of a builtin administrative group?
>
> If so, there is a process called the AdminSDHolder Thread that runs
> every hour on the PDC Emulator FSMO role that compares the ACLs of
> security principles that are members of administrative groups with the
> ACL of the AdminSDHolder container located in the domain System
> container. If there is a difference the ACL of the Security Principle is
> reset to match that of the container. This is explained in the article
> below.
>
> http://support.microsoft.com/default...;en-us;Q232199
>
> HTH
>
> --
> John Negus
> MSEtechnology
> --
>
>
>
> "David Slinn" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Ok, here's the situation.
> >
> > We have two domain controllers. One of them (which we consider the
> > primary
> > and was the first domain controller on our network) has all five FSMO
> > roles.
> >
> > The second was setup just to maintain a second copy AD database. We
> > have a
> > relatively small network (about 100 users).
> >
> > Lately, a Security Group permission that I add to a particular User
> > keeps
> > getting removed. It's very perplexing. We shut down the second
> > server
> > altogether, thinking that the replication was not occurring correctly,
> > but
> > that has not fixed the problem.
> >
> > So, with the second server down (meaning we have only one running
> > Active
> > Directory domain controller right now), I changed the object by adding
> > back
> > the permission and then checked the Update Sequence Number. It was
> > set to
> > 401290 and the Last Change was accurate (6:00pm.). I checked back in
> > 1
> > hour, and the Update Sequence Number was now 401380 and the Last
> > Update was
> > 6:44pm. I re-added the permission back to the object, and checked
> > the USN:
> > 401505, Modified at 8:02pm. I will post back further if it gets
> > overwritten
> > again (which it probably will.)
> >
> > What could have updated this object, given that the only other Domain
> > Controller was not even turned on?
> >
> > Thanks,
> >
> > Dave Slinn
> >
> >
>
>