Determining how and why an object was updated.

D

David Slinn

Ok, here's the situation.

We have two domain controllers. One of them (which we consider the primary
and was the first domain controller on our network) has all five FSMO roles.

The second was setup just to maintain a second copy AD database. We have a
relatively small network (about 100 users).

Lately, a Security Group permission that I add to a particular User keeps
getting removed. It's very perplexing. We shut down the second server
altogether, thinking that the replication was not occurring correctly, but
that has not fixed the problem.

So, with the second server down (meaning we have only one running Active
Directory domain controller right now), I changed the object by adding back
the permission and then checked the Update Sequence Number. It was set to
401290 and the Last Change was accurate (6:00pm.). I checked back in 1
hour, and the Update Sequence Number was now 401380 and the Last Update was
6:44pm. I re-added the permission back to the object, and checked the USN:
401505, Modified at 8:02pm. I will post back further if it gets overwritten
again (which it probably will.)

What could have updated this object, given that the only other Domain
Controller was not even turned on?

Thanks,

Dave Slinn
 
J

John Negus

Hello David,

By "Security Group permission that I add to a particular User keeps
getting removed" do you mean delegate administrative permissions to a
security group to a particular user object or do you mean adding a user
to a group?

If it is the first one, my next question would be is your user a member
of a builtin administrative group?

If so, there is a process called the AdminSDHolder Thread that runs
every hour on the PDC Emulator FSMO role that compares the ACLs of
security principles that are members of administrative groups with the
ACL of the AdminSDHolder container located in the domain System
container. If there is a difference the ACL of the Security Principle is
reset to match that of the container. This is explained in the article
below.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232199

HTH
 
E

Enkidu

Ok, here's the situation.

We have two domain controllers. One of them (which we consider the primary
and was the first domain controller on our network) has all five FSMO roles.

The second was setup just to maintain a second copy AD database. We have a
relatively small network (about 100 users).

Lately, a Security Group permission that I add to a particular User keeps
getting removed. It's very perplexing. We shut down the second server
altogether, thinking that the replication was not occurring correctly, but
that has not fixed the problem.

So, with the second server down (meaning we have only one running Active
Directory domain controller right now), I changed the object by adding back
the permission and then checked the Update Sequence Number. It was set to
401290 and the Last Change was accurate (6:00pm.). I checked back in 1
hour, and the Update Sequence Number was now 401380 and the Last Update was
6:44pm. I re-added the permission back to the object, and checked the USN:
401505, Modified at 8:02pm. I will post back further if it gets overwritten
again (which it probably will.)

What could have updated this object, given that the only other Domain
Controller was not even turned on?
Click to expand...
There's a GP that sets the membership of certain security groups. You
can add other users to the group but each the policy is applied the
membership will revert. Sounds like your problem.

http://support.microsoft.com/default.aspx?scid=kb;en-us;279301

Cheers,

Cliff
 
D

Dave Slinn

John - thanks for the reply - you have helped solve my problem.

I found the ActiveSDHolder object and sure enough - the ACL that it had was
exactly what the other user object ACL was getting reset to. I checked the
groups that this user belonged to, and then checked which groups those
groups belonged to, etc. etc. and found one that was a "more" priviledged
one. I removed that group from the user object in question, and the ACL on
that object nows retains my changes.

Whew - there's just too much to know with regards to Active Directory...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Replication Monitor Status Report 5
Unable to delete active directory object (was a user account) 2
Unable to demote a Win2k DC 3
disaster recovery: "the directory service was unable to allocate a relative identifier" 1
Server doesn't show up in Network Neighborhood 6
'repadmin /latency' and Event ID 1862 & 1863 0
I need help shutting down an old exchange server / Domain Controller ... 1
Event ID 40960 and 40961 No authentication protocol was available 1

Top