Solved

Active Directory User permissions

Posted on 2014-09-10
11
30 Views
Last Modified: 2015-10-16
All,
Got a really odd issue in AD. We are about to deploy Lync and have found that around 50% of all user accounts are set to not inherit permissions from the parent. We change this and less than an hour later it is unchecked again, making it impossible to apply permissions and making changes on these accounts consistently. AdminCount on these accounts is either set to 0 or null. they are not members of protected groups and have never been. They are not members of groups that are nested into protected groups either.
The users do not seem to have any commonality either, different departments, different sites, different countries. two people sat next to each other started almost at the same time and one is fine and the other is not.
Has anyone seen this before. To me it looks as though there is an ldap query running somewhere that is selecting this group of users, based on god knows what criteria, and applying permissions and removing inheritence. But as this is only affecting our European domain and not Asia or North America then something must be running, but I cannot find what or where.
I'm at a loss on my old friend google I cannot find anything at all, I am hoping however you guys might be able to help out.
0
Comment
Question by:karlpearson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40315643
Hi.

Those objects have ACLs and ACLs can be audited. Then you would be able to look at the security logs and see who is changing those ACLs the next time.
0
 

Author Comment

by:karlpearson
ID: 40316391
Cheers McKnife, we have 250,000 security events running through each domain controller every hour. I have checked the inherited permissions on a user account, and searched through one of the domain controllers trying to find the change, but have been unsuccessful. I believe auditing is switched on to monitor that change, but I cannot find it.
I realise that I am essentially asking for help to find something that is running on something and it's somewhere, but I'm not sure how much more my desk can take from me smacking my head off it....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40316401
You need to filter results.
Also make sure that auditing is turned on for that object you change the ACL of.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:karlpearson
ID: 40316416
I'm pretty sure it is and all I can see in audit logs is, the eventid is 4738 which is also the same as password resets and any account management activities, this doesn't really identify this as the change that I made so that I can find this through a filter.:-
A user account was changed.

Subject:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            XXX
      Logon ID:            0xc3XXXXXX

Target Account:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            xxx

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
      Account Expires:            -
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40316429
Karl, take a test object (a user object), enable auditing on it. Change its ACL and take note of the exact time when you do. Next, open the server's sec eventlog and see what even was written at that point in time.
0
 

Author Comment

by:karlpearson
ID: 40316463
That is what is essentially posted above. Sorry should have explained that. It tells me that a change has been made but it does not tell me what the change was, so I cannot find it through a filter.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40316484
But it tells you who did that change. And that alone is useful, isn't it?
0
 

Author Comment

by:karlpearson
ID: 40316556
It is yes, thank you. It's just if whatever is making the change is doing it as a user account then it becomes harder to spot. if it is a computer account e.g. a domain controller making the change then it will stand out like a sore thumb. I was hoping that there might be some other way of doing this, but it looks as though I am consigned to mooching through all of the domain controllers (hoping it's one of them) checking their logs.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40316613
Right.
I must say, I have never heard such a thing. Sounded at once like protected groups, but you ruled that out.
0
 

Author Comment

by:karlpearson
ID: 40316627
Yep, first place I went with it. going to have to ask our US guys to take a look at their servers to see if they are running anything. They say not, but will have to ask again. Hopefully it's not something legacy that no one knows about....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41043713
What was the solution?
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question