• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 362
  • Last Modified:

AD group backup/restore mystery

Can anyone think of any legitimate reason why a group in AD would have ex members re-joined. Reason I ask is I check our group membership who can access our files on a file server once a month to check nobody has been added to the group. A couple of times now I have noticed an ex employee who still works in the business but elsewhere has been relisted in the group membership, when they have 100% been removed before. I wondered any AD type maintenance that could cause this by mistake? It’s almost like the group has reverted back to a previous state/backup. Any theories how this could occur?
0
pma111
Asked:
pma111
4 Solutions
 
Sushil SonawaneCommented:
If you removed the user from the group then Active directory not automaticaly give group permission to user.

If you restore a previous state/backup then removed user will get permission or member of group.
0
 
Tony JLead Technical ArchitectCommented:
Does said user have any admin rights or knowledge of admin accounts?

If the former, I would revoke them if possible and if the latter then it may be time to change their passwords.
0
 
pma111Author Commented:
No admin permissions
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Tony JLead Technical ArchitectCommented:
Then either some kind of automated task / script is running that is adding him back into the group or he knows an admin account. Or, someone with an admin account is adding him in.
0
 
Sarang TinguriaSr EngineerCommented:
Its human who makes mistake ...Machine do as we say..look at Admins of same domain..one of them might be culprit
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hm I would be able to think about these cases:

1) someone re-added users into group
2) an authoritative restore of a group was done
3) there is multidomain environment where not all DCs are Global Catalogs and Infrastructure Master role is on a GC server (performed changes are overwritten)

to check that, run in command-line
nltest /dclist:<DNS-Domain-Name>

Open in new window


and if any of DCs are not GC then
netdom query fsmo

Open in new window


to check where Infrastructure Master is located. Then compare if it is on GC server

4) there is some LDAP services (i.e. Novell) with enabled replication to AD database and they are treated as "primary". All changes are replicated one way, from LDAP environment to AD, so you cannot remove simply user from AD group

are you able to verify these point in your environment, please ?

Regards,
Krzysztof
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now