Re: Global Security Group members disappear

On Sep 12, 3:12 am, Jeremy <Jer...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
OK, I now have a series of log entries as follows, one each for each group
removed:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 633
Date: 12/09/2007
Time: 04:16:58
User: NT AUTHORITY\SYSTEM
Computer: SENIOR
Description:
Security Enabled Global Group Member Removed:
Member Name: CN=2007,CN=Users,DC=sion_domain,DC=local
Member ID: SION_DOMAIN\2007
Target Account Name: Students
Target Domain: SION_DOMAIN
Target Account ID: SION_DOMAIN\Students
Caller User Name: SENIOR$
Caller Domain: SION_DOMAIN
Caller Logon ID: (0x0,0x9588C9A)
Privileges: -

and

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 641
Date: 12/09/2007
Time: 04:16:58
User: NT AUTHORITY\SYSTEM
Computer: SENIOR
Description:
Security Enabled Global Group Changed:
Target Account Name: Students
Target Domain: SION_DOMAIN
Target Account ID: SION_DOMAIN\Students
Caller User Name: SENIOR$
Caller Domain: SION_DOMAIN
Caller Logon ID: (0x0,0x9588C9A)
Privileges: -
Changed Attributes:
Sam Account Name: -
Sid History: -

How do I identify the Caller Logon ID?



"Steve B" wrote:
Ensure Audit Account management is set to Success and Failure in the Domain
Controllers policy. Also ensure that you run gpupdate to force the policy to
apply. I would then (at a suitable time) take out one of the groups and put
it back in. You can then check the security log to ensure that everything is
being logged.

If it happens again at least you know it should have been captured.

"Jeremy" wrote:

The only vaguely relevant entry in the security log is as follows:

Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 516
Date: 10/09/2007
Time: 16:48:29
User: NT AUTHORITY\SYSTEM
Computer: SENIOR
Description:
Internal resources allocated for the queuing of audit messages have been
exhausted, leading to the loss of some audits.
Number of audit messages discarded: 4

Mind you, I only had Directory Services logging failures. I've reset it to
log successes as well now.

"Jorge Silva" wrote:

I agree with steve, you should look at the logs to check what is going on...

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"Steve B" <Ste...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A2D67D5A-0EEC-4887-BD40-F0817041259D@xxxxxxxxxxxxxxxx
OK...have you checked the security logs on the DC's. This should now tell
you who/the process and time that the students group was removed.

"Jeremy" wrote:

Moved forest/domain level to 2003.

Members of "Students" disappeared again overnight. I have turned on
auditing of management as Jorge suggested although I think the likelihood
of
anyone other than me being able to edit AD is low.

"Steve B" wrote:

Whilst it will not explain why your groups disappeared - I would
suggest you
investigate switching your domain/forest level to Windows 2003. This
allows
you to take advantage of all the AD features.

Did you manage to check what auditing was turned on?

"Jeremy" wrote:

Hmmm... okay, further investigation reveals:

Domain Functional Level: Windows 2000 native

Forest Functional Level: Windows 2000

"Steve B" wrote:

What's the forest functional level? Do you have auditing turned on?
If so,
what are you auditing?

"Jeremy" wrote:

I should add that this is W2k3 AD

"Jeremy" wrote:

I have set up a Global Security Group called "Students" which
on a good day
contains Global Security Groups "2000", "2001"... "2007". I
recently set up
a second domain controller. Now, every morning I look in
Students and all
the Global Security Groups supposed to be members ("2000",
"2001"... "2007")
have disappeared from the list of members. There are no errors
in the Event
Logs and RepAdmin shows replication occurring correctly. To
apply a
temporary fix I visit both DCs and add the missing groups. I
also use ADUC
on my XP Pro workstation and re-apply the groups using that too
if they are
not showing.

Why do these groups disappear from the membership list of the
"Students"
group and how can I stop it happening?- Hide quoted text -

- Show quoted text -

Hi,

Caller User Name: SENIOR$

I would run a virus scan on this machine SENIOR to determine if it is
not a virus causing this.

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

.

Relevant Pages

  • Re: W2k3 AD migration to W2k3 AD - HELP HELP!!
    ... for the target either delegated permissions or admin permissions ... create an account in the target domain, make it a member of domain admins ... Translate security of the data/resources from source security ...
    (microsoft.public.windows.server.migration)
  • Re: MBSA, Office Update, Versions, Failures
    ... I apologize for posting this to three groups (MBSA, Windows Update, ... with Domain User account. ... Microsoft Baseline Security Advisor (? ... Office 2000 Security Patches - Red X's, ...
    (microsoft.public.officeupdate)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • [NEWS] Vulnerability Enables Passport Account Hijackings (No Secret Question)
    ... Beyond Security in Canada ... to promote the most advanced vulnerability assessment solutions today. ... A newly disclosed vulnerability could enable attackers to reset the ... who needs to reset his account password can be manipulated by attackers on ...
    (Securiteam)
  • Re: ASP.NET Impersonation / delegation
    ... If your security guys will not even allow delegation, ... Bruce - I think this is a major right to grant to the ASPNet account. ... I have included a description on SE_TCB_NAME privilege from one of the MS ...
    (microsoft.public.dotnet.framework.aspnet)