AD user account Security modified automatically?

Tutorials Win: Microsoft Windows Forum

OK, I have a good one for all AD guru's...

Domain Windows 2003 (SP2), SINGLE DC
I have an account (I admit, MINE, the network admin) wich for some
reason, when I add an account (a Blackberry related, so SEND AS is
enabled) to the security tab, it keeps disapearing away at interval
(have not look at exactly, so I suspect it is a default AD review
time), even if that Blackberry account is also propagated to all the
other users in the same OU I am a member.

I tried auditing, I am uncertain exactly WHAT I should auti to find
the reason behind this.
I can't think of any kind of exceptions or Group policies that could
cause that Blackbery account to be removed from my security

Anyone with an idea or troubleshooting steps?
Or more so, how to force whatever event is removing the account so I
can more easily find it in the security event log?

Thank you in advance!
Top

Re: AD user account Security modified automatically? by Meinolf

Meinolf
Fri Jul 11 06:10:37 PDT 2008

Hello Serge,

Your description is not really clear for me. Where did you add the Blackberry
account (domain user?) to, and what would you achive with that step?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> OK, I have a good one for all AD guru's...
>
> Domain Windows 2003 (SP2), SINGLE DC
> I have an account (I admit, MINE, the network admin) wich for some
> reason, when I add an account (a Blackberry related, so SEND AS is
> enabled) to the security tab, it keeps disapearing away at interval
> (have not look at exactly, so I suspect it is a default AD review
> time), even if that Blackberry account is also propagated to all the
> other users in the same OU I am a member.
> I tried auditing, I am uncertain exactly WHAT I should auti to find
> the reason behind this.
> I can't think of any kind of exceptions or Group policies that could
> cause that Blackbery account to be removed from my security
> Anyone with an idea or troubleshooting steps?
> Or more so, how to force whatever event is removing the account so I
> can more easily find it in the security event log?
> Thank you in advance!
>


Top

Re: AD user account Security modified automatically? by Joseph

Joseph
Fri Jul 11 06:23:14 PDT 2008

I assume your account is a member of some elevated group (like Domain
Admins, Account Operators, etc.)? What you're seeing happens because of a
process that runs hourly on the domain controller with the PDC Emulator role
that compares the permissions on the AdminSDHolder object and reapplies all
of the permissions on that object to these certain protected AD objects. The
following KBs should answer everything in detail for you. The bottom line is
that you shouldn't be mail-enabling accounts with elevated domain
privileges. That said, you "can" always modify the default permissions for
AdminSDHolder but I wouldn't recommend it. You should be using separate
accounts for AD administration.

http://support.microsoft.com/kb/907434/
http://support.microsoft.com/kb/232199

--
Joseph T. Corey MCSE, Security+
Systems Administrator
http://joecorey.wordpress.com/

"Serge Ayotte" <sergeayotte@gmail.com> wrote in message
news:19361490-c13f-4dc3-8713-ea8c79c0897e@t54g2000hsg.googlegroups.com...
> OK, I have a good one for all AD guru's...
>
> Domain Windows 2003 (SP2), SINGLE DC
> I have an account (I admit, MINE, the network admin) wich for some
> reason, when I add an account (a Blackberry related, so SEND AS is
> enabled) to the security tab, it keeps disapearing away at interval
> (have not look at exactly, so I suspect it is a default AD review
> time), even if that Blackberry account is also propagated to all the
> other users in the same OU I am a member.
>
> I tried auditing, I am uncertain exactly WHAT I should auti to find
> the reason behind this.
> I can't think of any kind of exceptions or Group policies that could
> cause that Blackbery account to be removed from my security
>
> Anyone with an idea or troubleshooting steps?
> Or more so, how to force whatever event is removing the account so I
> can more easily find it in the security event log?
>
> Thank you in advance!

Top

Re: AD user account Security modified automatically? by Serge

Serge
Fri Jul 11 07:01:51 PDT 2008

Joseph, thanks!

You hit it on the nail... Wasn't thinking clearly in the last few
days, and should have thought of that right away <grin>.

On Jul 11, 9:23=A0am, "Joseph T Corey" <jco...@andrew.cmu.edu> wrote:
> I assume your account is a member of some elevated group (like Domain
> Admins, Account Operators, etc.)? What you're seeing happens because of a
> process that runs hourly on the domain controller with the PDC Emulator r=
ole
> that compares the permissions on the AdminSDHolder object and reapplies a=
ll
> of the permissions on that object to these certain protected AD objects. =
The
> following KBs should answer everything in detail for you. The bottom line=
is
> that you shouldn't be mail-enabling accounts with elevated domain
> privileges. That said, you "can" always modify the default permissions fo=
r
> AdminSDHolder but I wouldn't recommend it. =A0You should be using separat=
e
> accounts for AD administration.
>
> http://support.microsoft.com/kb/907434/http://support.microsoft.com/kb/23=
2199
>
> --
> Joseph T. Corey =A0MCSE, Security+
> Systems Administratorhttp://joecorey.wordpress.com/
>
> "Serge Ayotte" <sergeayo...@gmail.com> wrote in message
>
> news:19361490-c13f-4dc3-8713-ea8c79c0897e@t54g2000hsg.googlegroups.com...
>
>
>
> > OK, I have a good one for all AD guru's...
>
> > Domain Windows 2003 (SP2), SINGLE DC
> > I have an account (I admit, MINE, the network admin) wich for some
> > reason, when I add an account (a Blackberry related, so SEND AS is
> > enabled) to the security tab, it keeps disapearing away at interval
> > (have not look at exactly, so I suspect it is a default AD review
> > time), even if that Blackberry account is also propagated to all the
> > other users in the same OU I am a member.
>
> > I tried auditing, I am uncertain exactly WHAT I should auti to find
> > the reason behind this.
> > I can't think of any kind of exceptions or Group policies that could
> > cause that Blackbery account to be removed from my security
>
> > Anyone with an idea or troubleshooting steps?
> > Or more so, how to force whatever event is removing the account so I
> > can more easily find it in the security event log?
>
> > Thank you in advance!- Hide quoted text -
>
> - Show quoted text -

Top