Add/Remove Self As Member Permission

Hello There...

I have a globle group name "My Enterprise Admin" who is a member of
Domain Admin in AD.

I created another group name "Admin Manger Enterprise".

I added Admin Manage Entrprise in a security tab of "My Enterprise
Admin" Group and assigb Add/Remove self as a member permission.

After an hour this group is removed from the permission.

And I found following in event log:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 641
Date: 6/16/2008
Time: 1:26:35 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: VBURDWDEVDC02
Description:
Security Enabled Global Group Changed:
Target Account Name: Admin Manger Enterprise
Target Domain: POWER
Target Account ID: POWER\Domain Admins
Caller User Name: DC0001$
Caller Domain: POWER
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Sid History: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I tried again and same issue...
With investigation, I found that I am not able to assign any group
"add/remove self as a member" permission to a group which is a member
of Domain Admin or Enterprise Admin.

Can anyone help me for find solution for this.

Regards,
Avi

mkline
Sun Jun 15 23:26:20 PDT 2008

Avi,

Hi, this is caused by AdminSdHolder

Take a look at this blog entry that Ulf wrote about it

http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
AdminSDHolder - or where did my permissions go?

Jorge also has a really good entry on the subject here:

http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

Thanks
Mike


<ancoh5@gmail.com> wrote in message
news:6ce4c52e-239b-4409-a920-cb43ad67900f@v26g2000prm.googlegroups.com...
> Hello There...
>
> I have a globle group name "My Enterprise Admin" who is a member of
> Domain Admin in AD.
>
> I created another group name "Admin Manger Enterprise".
>
> I added Admin Manage Entrprise in a security tab of "My Enterprise
> Admin" Group and assigb Add/Remove self as a member permission.
>
> After an hour this group is removed from the permission.
>
> And I found following in event log:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Account Management
> Event ID: 641
> Date: 6/16/2008
> Time: 1:26:35 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: VBURDWDEVDC02
> Description:
> Security Enabled Global Group Changed:
> Target Account Name: Admin Manger Enterprise
> Target Domain: POWER
> Target Account ID: POWER\Domain Admins
> Caller User Name: DC0001$
> Caller Domain: POWER
> Caller Logon ID: (0x0,0x3E7)
> Privileges: -
> Changed Attributes:
> Sam Account Name: -
> Sid History: -
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> I tried again and same issue...
> With investigation, I found that I am not able to assign any group
> "add/remove self as a member" permission to a group which is a member
> of Domain Admin or Enterprise Admin.
>
> Can anyone help me for find solution for this.
>
> Regards,
> Avi