Re: Domain Admin groups - users disappear/reappear ???

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I think Meinolf already touched on it but I would suspect ADMINSDHolder
could be the culprit, but all that does is modify the acl's.

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"JayDee" <dopamine@xxxxxxxx> wrote in message
news:b4a32258-4bea-47fe-8d98-e1249a8d46a6@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok, this is a very interesting observation I have made as a result of
a simple script I wrote. The objective was to send an email when a
user is added to or removed from an admin group in the domain (Domain
Admins, Account Ops, Server Ops, etc...). The way the script works is
to check the membership of the groups every 15 minutes and export the
members to a text file (using DSQUERY/DSGET for group membership).
Each time the script runs, it does a file compare (FC) between the
current and last file for that group to see if changes were made.

Here's the weird part: Although the script runs every two hours, this
occurs at different seemingly random intervals. I will receive emails
stating some users were removed, then were added to a number of admin
groups at the same time! Does AD remove and readd groups to domain
admin groups occasionally during some kind of background maintenance?
Since the script and methodology are relatively simple and more
importantly the problem occurs at random intervals, not all intervals,
I don't think it has anything to do with the script itself. Oh, and
this happens regardless of whether or not any changes were actually
made to the groups.

Any takers?? I'm ready to be impressed. :)

- JayDee


.

Relevant Pages

  • Re: Domain Admin groups - users disappear/reappear ???
    ... user is added to or removed from an admin group in the domain (Domain ... The way the script works is ... members to a text file (using DSQUERY/DSGET for group membership). ... importantly the problem occurs at random intervals, not all intervals, ...
    (microsoft.public.windows.server.active_directory)
  • Domain Admin groups - users disappear/reappear ???
    ... user is added to or removed from an admin group in the domain (Domain ... The way the script works is ... members to a text file (using DSQUERY/DSGET for group membership). ... importantly the problem occurs at random intervals, not all intervals, ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD group logon script question
    ... like I described our logon script: ... If individuals need special access to certain resources, ... and each group must be protected from the administrators of the other. ... membership as required. ...
    (microsoft.public.scripting.vbscript)
  • Re: HELP..Need help with script that auto adds group to local admin group.
    ... client OS is Win9x, then a loop is required to retrieve this. ... you can change membership in all local ... Best is often to use a Startup script to make a global group a member of the ... local administrators group on every machine. ...
    (microsoft.public.scripting.vbscript)
  • Re: How do I get a users group belonging from my AD
    ... I retrive this info from AD to my script? ... I have several example VBScript functions to check group membership linked ... returns the Distinguished Name of the parent container, ...
    (microsoft.public.scripting.wsh)