B
Brian Higgins
I have an application that was wrote in-house, that stores information
pertaining to the user account in one of the 15 Exchange Extenstion
Attributes in AD (for lack of a better place in AD to store the values).
This app has been tested on 3 different domains and everything works just
fine, once SELF is granted Write Public Information permission from within
ADSI Edit for the user account.
I have installed the app on a new domain (fresh SBS2003 Network) and I have
given the 2 accounts the Write Public Information permission. The setting
works, for about 25 minutes, after which time the SELF account then shows no
security set on any of the properties that should have allow permissions
set.
I have re-set the permissions on the 2 user accounts numerous times, and
every time I do, after 25min, the user loses all permisson for their own
account. An event 642 is logged both when setting the permissions, and when
the permissions get reset to blank, and an event 684 is logged immeaditly
after the 642 when the account gets reset.
The 684 indicates that it has something to do with domain administrative
rights(being set by an anonymous logon??), but these user accounts only have
power user rights, and local admin rights on the workstations they regularly
use.
When setting the permissions, the event ID is as follows:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 1/15/2005
Time: 3:38:06 PM
User: DOMAIN\administrator
Computer: SERVER
Description:
User Account Changed:
Target Account Name: user
Target Domain: DOMAIN
Target Account ID: DOMAIN\user
Caller User Name: administrator
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x442B0)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
When the account gets reset, the Event IDs are:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 1/15/2005
Time: 4:05:07 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Account Changed:
Target Account Name: user
Target Domain: DOMAIN
Target Account ID: DOMAIN\user
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 684
Date: 1/15/2005
Time: 4:05:07 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
Set ACLs of members in administrators groups:
Target Account Name: user
Target Domain: DC=DOMAIN,DC=LOCAL
Target Account ID: DOMAIN\user
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
pertaining to the user account in one of the 15 Exchange Extenstion
Attributes in AD (for lack of a better place in AD to store the values).
This app has been tested on 3 different domains and everything works just
fine, once SELF is granted Write Public Information permission from within
ADSI Edit for the user account.
I have installed the app on a new domain (fresh SBS2003 Network) and I have
given the 2 accounts the Write Public Information permission. The setting
works, for about 25 minutes, after which time the SELF account then shows no
security set on any of the properties that should have allow permissions
set.
I have re-set the permissions on the 2 user accounts numerous times, and
every time I do, after 25min, the user loses all permisson for their own
account. An event 642 is logged both when setting the permissions, and when
the permissions get reset to blank, and an event 684 is logged immeaditly
after the 642 when the account gets reset.
The 684 indicates that it has something to do with domain administrative
rights(being set by an anonymous logon??), but these user accounts only have
power user rights, and local admin rights on the workstations they regularly
use.
When setting the permissions, the event ID is as follows:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 1/15/2005
Time: 3:38:06 PM
User: DOMAIN\administrator
Computer: SERVER
Description:
User Account Changed:
Target Account Name: user
Target Domain: DOMAIN
Target Account ID: DOMAIN\user
Caller User Name: administrator
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x442B0)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
When the account gets reset, the Event IDs are:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 1/15/2005
Time: 4:05:07 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Account Changed:
Target Account Name: user
Target Domain: DOMAIN
Target Account ID: DOMAIN\user
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 684
Date: 1/15/2005
Time: 4:05:07 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
Set ACLs of members in administrators groups:
Target Account Name: user
Target Domain: DC=DOMAIN,DC=LOCAL
Target Account ID: DOMAIN\user
Caller User Name: SERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -