Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2239
  • Last Modified:

Urgent problem - the SeSecurityPrivilege right keeps getting reset on the Exchange Enterprise Servers group

The SeSecurityPrivilege right keeps getting reset on the Exchange Enterprise Servers group. This stops Exchange talking to AD and the mailstores dismount a shortwhile later. When I run the Policytest tool from the exchange CD it shows "right not found" for each DC. I can easily fix this by running the exchange setup /domainprep switch which adds the right back to the group. But it keeps getting reset and I have to keep running /domainprep.
I can keep checking Policytest during the day and running /domainprep but it's not really a proper solution, and I can't stay there all night either so email can be down in the morning causing major grief.


I've run through MSoft paper ID 314294 http://support.microsoft.com/?id=314294 and switched on security auditing for domain security events in event viewer but cannot find any trace of what they are looking for in the security log.

One clue maybe that I have to run /domainprep on each DC to give it back the right to it's copy of the AD.

So I'm stuck. I know this is a really tricky one but it's driving me mad and any help you can offer would be greatly appreciated!!!
Many thanks for reading this, please help!!!!!!!
0
chris_wren
Asked:
chris_wren
  • 3
1 Solution
 
bbaoIT ConsultantCommented:
have you noticed this sentence "When Kerberos security refresh intervals expire or Exchange services are restarted on particular servers, the issues become evident" in MKB Q314294? are you sure your refresh intervals of keberos is set well?
0
 
bbaoIT ConsultantCommented:
do you know this KB? see the step 3 of its resolution "..., run secedit /refreshpolicy machine_policy /enforce..."

XADM: Policytest Utility Returns 'Right NOT Found' Result
http://support.microsoft.com/?id=328662
0
 
chris_wrenAuthor Commented:
Cheers bbao - I deleted my default DC GPO (seemed to be stuffed up for some reason - I couldn't edit it) and created a new one with the correct SeSecurityPrivilege user settings for Exchange.
0
 
bbaoIT ConsultantCommented:
nice to hear. glad to help. :)
0
 
snyderkvCommented:
Life saver. My work thought it was me who removed it and had audit logs to prove it.

The issue was caused when I ran KLIST /Purge or when reseting the security policy on the DC. Probably not suppose to happen in a less hectic environment but it did in this one.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now