Solved

Active Directory User permissions

Posted on 2014-09-10
11
38 Views
Last Modified: 2015-10-16
All,
Got a really odd issue in AD. We are about to deploy Lync and have found that around 50% of all user accounts are set to not inherit permissions from the parent. We change this and less than an hour later it is unchecked again, making it impossible to apply permissions and making changes on these accounts consistently. AdminCount on these accounts is either set to 0 or null. they are not members of protected groups and have never been. They are not members of groups that are nested into protected groups either.
The users do not seem to have any commonality either, different departments, different sites, different countries. two people sat next to each other started almost at the same time and one is fine and the other is not.
Has anyone seen this before. To me it looks as though there is an ldap query running somewhere that is selecting this group of users, based on god knows what criteria, and applying permissions and removing inheritence. But as this is only affecting our European domain and not Asia or North America then something must be running, but I cannot find what or where.
I'm at a loss on my old friend google I cannot find anything at all, I am hoping however you guys might be able to help out.
0
Comment
Question by:karlpearson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 40315643
Hi.

Those objects have ACLs and ACLs can be audited. Then you would be able to look at the security logs and see who is changing those ACLs the next time.
0
 

Author Comment

by:karlpearson
ID: 40316391
Cheers McKnife, we have 250,000 security events running through each domain controller every hour. I have checked the inherited permissions on a user account, and searched through one of the domain controllers trying to find the change, but have been unsuccessful. I believe auditing is switched on to monitor that change, but I cannot find it.
I realise that I am essentially asking for help to find something that is running on something and it's somewhere, but I'm not sure how much more my desk can take from me smacking my head off it....
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40316401
You need to filter results.
Also make sure that auditing is turned on for that object you change the ACL of.
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 

Author Comment

by:karlpearson
ID: 40316416
I'm pretty sure it is and all I can see in audit logs is, the eventid is 4738 which is also the same as password resets and any account management activities, this doesn't really identify this as the change that I made so that I can find this through a filter.:-
A user account was changed.

Subject:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            XXX
      Logon ID:            0xc3XXXXXX

Target Account:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            xxx

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
      Account Expires:            -
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40316429
Karl, take a test object (a user object), enable auditing on it. Change its ACL and take note of the exact time when you do. Next, open the server's sec eventlog and see what even was written at that point in time.
0
 

Author Comment

by:karlpearson
ID: 40316463
That is what is essentially posted above. Sorry should have explained that. It tells me that a change has been made but it does not tell me what the change was, so I cannot find it through a filter.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40316484
But it tells you who did that change. And that alone is useful, isn't it?
0
 

Author Comment

by:karlpearson
ID: 40316556
It is yes, thank you. It's just if whatever is making the change is doing it as a user account then it becomes harder to spot. if it is a computer account e.g. a domain controller making the change then it will stand out like a sore thumb. I was hoping that there might be some other way of doing this, but it looks as though I am consigned to mooching through all of the domain controllers (hoping it's one of them) checking their logs.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40316613
Right.
I must say, I have never heard such a thing. Sounded at once like protected groups, but you ruled that out.
0
 

Author Comment

by:karlpearson
ID: 40316627
Yep, first place I went with it. going to have to ask our US guys to take a look at their servers to see if they are running anything. They say not, but will have to ask again. Hopefully it's not something legacy that no one knows about....
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41043713
What was the solution?
0

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question