Re: AD user account Security modified automatically?

Joseph, thanks!

You hit it on the nail... Wasn't thinking clearly in the last few
days, and should have thought of that right away <grin>.

On Jul 11, 9:23 am, "Joseph T Corey" <jco...@xxxxxxxxxxxxxx> wrote:
I assume your account is a member of some elevated group (like Domain
Admins, Account Operators, etc.)? What you're seeing happens because of a
process that runs hourly on the domain controller with the PDC Emulator role
that compares the permissions on the AdminSDHolder object and reapplies all
of the permissions on that object to these certain protected AD objects. The
following KBs should answer everything in detail for you. The bottom line is
that you shouldn't be mail-enabling accounts with elevated domain
privileges. That said, you "can" always modify the default permissions for
AdminSDHolder but I wouldn't recommend it.  You should be using separate
accounts for AD administration.

http://support.microsoft.com/kb/907434/http://support.microsoft.com/kb/232199

--
Joseph T. Corey  MCSE, Security+
Systems Administratorhttp://joecorey.wordpress.com/

"Serge Ayotte" <sergeayo...@xxxxxxxxx> wrote in message

news:19361490-c13f-4dc3-8713-ea8c79c0897e@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



OK, I have a good one for all AD guru's...

Domain Windows 2003 (SP2), SINGLE DC
I have an account (I admit, MINE, the network admin) wich for some
reason, when I add an account (a Blackberry related, so SEND AS is
enabled) to the security tab, it keeps disapearing away at interval
(have not look at exactly, so I suspect it is a default AD review
time), even if that Blackberry account is also propagated to all the
other users in the same OU I am a member.

I tried auditing, I am uncertain exactly WHAT I should auti to find
the reason behind this.
I can't think of any kind of exceptions or Group policies that could
cause that Blackbery account to be removed from my security

Anyone with an idea or troubleshooting steps?
Or more so, how to force whatever event is removing the account so I
can more easily find it in the security event log?

Thank you in advance!- Hide quoted text -

- Show quoted text -

.

Relevant Pages

  • Risks Digest 25.73
    ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ...
    (comp.risks)
  • Re: How to run aspnet with system account
    ... Well, darn, Joseph. ... considering the "lack of security" ... Even if you only run your own code on your servers, ... >> Telling people that you CAN safely run ASP.Net under the System account ...
    (microsoft.public.dotnet.security)
  • Re: How to run aspnet with system account
    ... Well, darn, Joseph. ... considering the "lack of security" ... Even if you only run your own code on your servers, ... >> Telling people that you CAN safely run ASP.Net under the System account ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: MBSA, Office Update, Versions, Failures
    ... I apologize for posting this to three groups (MBSA, Windows Update, ... with Domain User account. ... Microsoft Baseline Security Advisor (? ... Office 2000 Security Patches - Red X's, ...
    (microsoft.public.officeupdate)
  • Re: write with cURL
    ... you can stop making excuses. ... up an account for you, process the billing, etc. ... possible features from a web site to make up for the security issues. ... Nothing you have told me shows me you know how to lock down a server ...
    (alt.php)
Loading