Re: Domain Admin groups - users disappear/reappear ???

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hello JayDee,

There is no automatic adding from users to security groups. Never heard about. If you would talk abut removed permissions for user that are added to some builtin groups i would say it belongs to the AdminSDHolder process running each hour.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Ok, this is a very interesting observation I have made as a result of
a simple script I wrote. The objective was to send an email when a
user is added to or removed from an admin group in the domain (Domain
Admins, Account Ops, Server Ops, etc...). The way the script works is
to check the membership of the groups every 15 minutes and export the
members to a text file (using DSQUERY/DSGET for group membership).
Each time the script runs, it does a file compare (FC) between the
current and last file for that group to see if changes were made.

Here's the weird part: Although the script runs every two hours, this
occurs at different seemingly random intervals. I will receive emails
stating some users were removed, then were added to a number of admin
groups at the same time! Does AD remove and readd groups to domain
admin groups occasionally during some kind of background maintenance?
Since the script and methodology are relatively simple and more
importantly the problem occurs at random intervals, not all intervals,
I don't think it has anything to do with the script itself. Oh, and
this happens regardless of whether or not any changes were actually
made to the groups.

Any takers?? I'm ready to be impressed. :)

- JayDee



.

Relevant Pages

  • Re: Domain Admin groups - users disappear/reappear ???
    ... user is added to or removed from an admin group in the domain (Domain ... The way the script works is ... members to a text file (using DSQUERY/DSGET for group membership). ... importantly the problem occurs at random intervals, not all intervals, ...
    (microsoft.public.windows.server.active_directory)
  • Domain Admin groups - users disappear/reappear ???
    ... user is added to or removed from an admin group in the domain (Domain ... The way the script works is ... members to a text file (using DSQUERY/DSGET for group membership). ... importantly the problem occurs at random intervals, not all intervals, ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD group logon script question
    ... like I described our logon script: ... If individuals need special access to certain resources, ... and each group must be protected from the administrators of the other. ... membership as required. ...
    (microsoft.public.scripting.vbscript)
  • Re: HELP..Need help with script that auto adds group to local admin group.
    ... client OS is Win9x, then a loop is required to retrieve this. ... you can change membership in all local ... Best is often to use a Startup script to make a global group a member of the ... local administrators group on every machine. ...
    (microsoft.public.scripting.vbscript)
  • Re: Local computer - privileged access - active directory question
    ... I've looke at Richard's site and found a vbs script that comes ... The program EnumLocalGroup.vbs enumerates the membership of a local group. ... The program can be easily modified to enumerate the membership of a local ... NetBIOS names and enumerate the membership of a local group on each ...
    (microsoft.public.windows.server.scripting)