[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 355
  • Last Modified:

User account keeps being added to Domain Admins Group

Windows 2000 Active Directory

I have a user account that had been a member of both the Domain Admins as well as Enterprise Admins group.  
There exists a restricted groups policy on the domain controllers ou and this user was on the list.
It was decided that this user account should no longer be a memebr of these groups.
His account was removed from the groups and his name was taken of the restricted groups policy however the next time I check his group memebership, he is back to being a member of the domain admins and enterprise admins group.  

Does anyone have any idea why this account would be continually placed back into these groups after having been removed from them.

I understand there may be a batch file running somewhere that could be placing his account in these groups however this is unlikely.

0
master_windu
Asked:
master_windu
  • 7
  • 3
  • 2
  • +2
1 Solution
 
Craig_200XCommented:
is this change being replicated? can you make the change physically on all dc's?

Could be a dc that is not taking replication and corrupting the AD schema.
0
 
master_winduAuthor Commented:
yes. I make the change on our primary domain controller . the change replicates but it seems that after I take him out of the groups he is back in within a matter of minutes.

I even creted a scheduled task on the primary domain controller to run a batch file the removes his account from the 2 groups and I have it running every 15 mins.  Even with that, I can still see that he is a member of domain admins again.

Our restricted groups policy in general never worked to well as awhile back I added myself to the list but was still getting kicked out by the policy.  Would it make any difference if I deleted this restricted groups policy and then recreated it?

We arent having any replication issues that I know of
0
 
master_winduAuthor Commented:
This may be unrelated but this server has been getting those  "administrative templates" string truncated popups when editing group policy for a while now.  I will be applying the ms patch to update the group policy editor and reboot tonight after hours.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
Craig_200XCommented:
how many dc's? can you make the change on all of them to rule out a replication problem?
0
 
master_winduAuthor Commented:
There are 57 domain controllers in enterprise.  That would be difficult
0
 
mcsweenSr. Network AdministratorCommented:
Go to one of you domain controllers (with the support tools installed) and run

dcdiag /e /q > c:\dcdiag.log

When it's done check the log for errors.  This command will test all domain controllers in the enterprise and print only errors to the log file.  You may be having a replication problem.

Another thing you can try is to make the change on one of the DCs that's a Global Catalog, this might keep it from being replicated over.


The admin templates errors you are getting are a pain, but if you install adminpak on an XP SP2 workstation you can edit your domain policies from there, error free!
http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en

I also use the Group Policy Management Console now, it makes things much easier.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
0
 
master_winduAuthor Commented:
Thanks, I will try dcdiag.

Almost all of our dcs are global catalogs.  We have have many sites.  Usually only 1 server per site serving as DC, Exchange, and GC

I have the xp sp2 admin pak loaded on my notebook, but everytime I go to edit a group policy, I am directed to our primary domain controller. Thsi happens even if I try to edit the policy on another domain controller. This was the first server promoted in our domain.  I always thought that this was by design and that there was a group policy setting that specifed that all group policy changed need to be done on the primary DC.
0
 
Jay_Jay70Commented:
check sites and services and see which way the replication is occuring as it is obviously working.....

global catalogs have nothing to do with replications

mcsween has given you a good option with the policy management console as from there you can view and delete policies and policy links accross multiple domains etc....
0
 
master_winduAuthor Commented:
nothing unusual seen on dcdiag.log

Each dc has an active directory connector to each of the 2 core domain controllers.

I downloaded and installed the gpmc and went thru all the policies to see if there was some script running that was putting this user in the groups but I came up with nothing.  

I keep trying tomorrow

Thanks for the suggestions
0
 
Jay_Jay70Commented:
point i was trying to get at was if replication is occuring from dc - to central DC then chances are policy is replicating back, you need to make sure your replicating TO the DC's in other sites
0
 
master_winduAuthor Commented:
Isnt there a way I can turn on auditing to try to narrow down what it is that is putting this user back into these groups?
0
 
master_winduAuthor Commented:
Found a way to turn on auditing and I reviewed the security logs looking for evts 632 and 633 but it still wasnt clear what was causing the problem


I ended up deleting and recreating the gpo in the domain controllers ou that contained the restricted groups policy for the domain admins and ent admins group.

Everything thing seems ok now
0
 
Jay_Jay70Commented:
so some remnants of the GPO hadnt deleted properly

at least you got it working :)
0
 
CetusMODCommented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now