AD User Objects not retaining security

Tutorials Win: Microsoft Windows Forum

Salutations,

I've run across a strange issue in a Windows 2000 Native AD environment.
There are two Domain Controllers, one is Windows 2000, the other is Server
2003. Server 2003 hosts Exchange 2003.

The issue began when the 2000 DC was hosting all of the FSMO roles. When
new security was added to the security tab of an AD user object, it would
disappear after a period of time, leaving only the SID behind. We don't have
an exact time frame, but it seems to be within an hour.

We went through several layers of troubleshooting, and we've eventually
moved all of the FSMO roles to the 2003 server. Now, the same error seems to
be occuring, but the Security descriptors are completely removed, no SID is
left behind.

I've checked replication with replmon, and ran several dcdiag tests, and
nothing seems out of the ordinary. The only thing I've not explored deeply
is the AdminSDholder object, as described in
http://support.microsoft.com/?id=232199.

I suppose I'm looking for any thoughts as to what else could be causing this
strange issue.
Top

RE: AD User Objects not retaining security by ZiadKChafi

ZiadKChafi
Fri Mar 28 08:18:00 PDT 2008

Try to separate the Global Catalog and Infrastructure Master from each other,
put each on on a separate DC.

Let me know...
--
Ziad K. Chafi
MCT, MCTS, MCDBA, MCSE: S, MCDST
CompTIA A+, CompTIA N+,


"Jeff" wrote:

> Salutations,
>
> I've run across a strange issue in a Windows 2000 Native AD environment.
> There are two Domain Controllers, one is Windows 2000, the other is Server
> 2003. Server 2003 hosts Exchange 2003.
>
> The issue began when the 2000 DC was hosting all of the FSMO roles. When
> new security was added to the security tab of an AD user object, it would
> disappear after a period of time, leaving only the SID behind. We don't have
> an exact time frame, but it seems to be within an hour.
>
> We went through several layers of troubleshooting, and we've eventually
> moved all of the FSMO roles to the 2003 server. Now, the same error seems to
> be occuring, but the Security descriptors are completely removed, no SID is
> left behind.
>
> I've checked replication with replmon, and ran several dcdiag tests, and
> nothing seems out of the ordinary. The only thing I've not explored deeply
> is the AdminSDholder object, as described in
> http://support.microsoft.com/?id=232199.
>
> I suppose I'm looking for any thoughts as to what else could be causing this
> strange issue.
Top

RE: AD User Objects not retaining security by Jeff

Jeff
Fri Mar 28 08:24:01 PDT 2008

That was one of the earlier things we did before we moved all of the FSMO
roles to the 2003 server.

We've not tried this since, but I will do that and see if this corrects the
issue.

Thank you.

"Ziad K. Chafi" wrote:

> Try to separate the Global Catalog and Infrastructure Master from each other,
> put each on on a separate DC.
>
> Let me know...
> --
> Ziad K. Chafi
> MCT, MCTS, MCDBA, MCSE: S, MCDST
> CompTIA A+, CompTIA N+,
>
>
> "Jeff" wrote:
>
> > Salutations,
> >
> > I've run across a strange issue in a Windows 2000 Native AD environment.
> > There are two Domain Controllers, one is Windows 2000, the other is Server
> > 2003. Server 2003 hosts Exchange 2003.
> >
> > The issue began when the 2000 DC was hosting all of the FSMO roles. When
> > new security was added to the security tab of an AD user object, it would
> > disappear after a period of time, leaving only the SID behind. We don't have
> > an exact time frame, but it seems to be within an hour.
> >
> > We went through several layers of troubleshooting, and we've eventually
> > moved all of the FSMO roles to the 2003 server. Now, the same error seems to
> > be occuring, but the Security descriptors are completely removed, no SID is
> > left behind.
> >
> > I've checked replication with replmon, and ran several dcdiag tests, and
> > nothing seems out of the ordinary. The only thing I've not explored deeply
> > is the AdminSDholder object, as described in
> > http://support.microsoft.com/?id=232199.
> >
> > I suppose I'm looking for any thoughts as to what else could be causing this
> > strange issue.
Top

Re: AD User Objects not retaining security by Ken

Ken
Fri Mar 28 08:40:05 PDT 2008

Hello,

It is a good bet that you are running up against "adminsdholder". Here is a
link to learn about it:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

Short summary:
Some accounts are "protected". An account becomes protected if it is a
member of a key group, such as one of the builtin administrator groups.
There is an object in Active Directory called the adminsdholder. It is a
placeholder object in AD that has a set of permissions on it. This is your
default permissions set for protected objects. There is a process that runs
regularly on the domain that looks for protected accounts and makes sure
their permissions are set to the permissions on the adminsdholder object.

I hope this information helps.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Jeff" <Jeff@discussions.microsoft.com> wrote in message
news:A5D690A9-BF34-462C-8130-9267A31C8730@microsoft.com...
> Salutations,
>
> I've run across a strange issue in a Windows 2000 Native AD environment.
> There are two Domain Controllers, one is Windows 2000, the other is Server
> 2003. Server 2003 hosts Exchange 2003.
>
> The issue began when the 2000 DC was hosting all of the FSMO roles. When
> new security was added to the security tab of an AD user object, it would
> disappear after a period of time, leaving only the SID behind. We don't
> have
> an exact time frame, but it seems to be within an hour.
>
> We went through several layers of troubleshooting, and we've eventually
> moved all of the FSMO roles to the 2003 server. Now, the same error seems
> to
> be occuring, but the Security descriptors are completely removed, no SID
> is
> left behind.
>
> I've checked replication with replmon, and ran several dcdiag tests, and
> nothing seems out of the ordinary. The only thing I've not explored
> deeply
> is the AdminSDholder object, as described in
> http://support.microsoft.com/?id=232199.
>
> I suppose I'm looking for any thoughts as to what else could be causing
> this
> strange issue.


Top

Re: AD User Objects not retaining security by Jorge

Jorge
Fri Mar 28 08:45:00 PDT 2008

Sounds AdminSDHolder.
http://support.microsoft.com/kb/817433/en-us

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
Top

Re: AD User Objects not retaining security by Jeff

Jeff
Fri Mar 28 11:11:01 PDT 2008

Thank you, Ken, Jorge and Ziad.

Hopefully one of these solutions will work.

"Jorge Silva" wrote:

> Sounds AdminSDHolder.
> http://support.microsoft.com/kb/817433/en-us
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
Top