Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory User permissions

Posted on 2014-09-10
11
Medium Priority
?
42 Views
Last Modified: 2015-10-16
All,
Got a really odd issue in AD. We are about to deploy Lync and have found that around 50% of all user accounts are set to not inherit permissions from the parent. We change this and less than an hour later it is unchecked again, making it impossible to apply permissions and making changes on these accounts consistently. AdminCount on these accounts is either set to 0 or null. they are not members of protected groups and have never been. They are not members of groups that are nested into protected groups either.
The users do not seem to have any commonality either, different departments, different sites, different countries. two people sat next to each other started almost at the same time and one is fine and the other is not.
Has anyone seen this before. To me it looks as though there is an ldap query running somewhere that is selecting this group of users, based on god knows what criteria, and applying permissions and removing inheritence. But as this is only affecting our European domain and not Asia or North America then something must be running, but I cannot find what or where.
I'm at a loss on my old friend google I cannot find anything at all, I am hoping however you guys might be able to help out.
0
Comment
Question by:karlpearson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 40315643
Hi.

Those objects have ACLs and ACLs can be audited. Then you would be able to look at the security logs and see who is changing those ACLs the next time.
0
 

Author Comment

by:karlpearson
ID: 40316391
Cheers McKnife, we have 250,000 security events running through each domain controller every hour. I have checked the inherited permissions on a user account, and searched through one of the domain controllers trying to find the change, but have been unsuccessful. I believe auditing is switched on to monitor that change, but I cannot find it.
I realise that I am essentially asking for help to find something that is running on something and it's somewhere, but I'm not sure how much more my desk can take from me smacking my head off it....
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40316401
You need to filter results.
Also make sure that auditing is turned on for that object you change the ACL of.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 

Author Comment

by:karlpearson
ID: 40316416
I'm pretty sure it is and all I can see in audit logs is, the eventid is 4738 which is also the same as password resets and any account management activities, this doesn't really identify this as the change that I made so that I can find this through a filter.:-
A user account was changed.

Subject:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            XXX
      Logon ID:            0xc3XXXXXX

Target Account:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            xxx

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
      Account Expires:            -
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40316429
Karl, take a test object (a user object), enable auditing on it. Change its ACL and take note of the exact time when you do. Next, open the server's sec eventlog and see what even was written at that point in time.
0
 

Author Comment

by:karlpearson
ID: 40316463
That is what is essentially posted above. Sorry should have explained that. It tells me that a change has been made but it does not tell me what the change was, so I cannot find it through a filter.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40316484
But it tells you who did that change. And that alone is useful, isn't it?
0
 

Author Comment

by:karlpearson
ID: 40316556
It is yes, thank you. It's just if whatever is making the change is doing it as a user account then it becomes harder to spot. if it is a computer account e.g. a domain controller making the change then it will stand out like a sore thumb. I was hoping that there might be some other way of doing this, but it looks as though I am consigned to mooching through all of the domain controllers (hoping it's one of them) checking their logs.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1500 total points
ID: 40316613
Right.
I must say, I have never heard such a thing. Sounded at once like protected groups, but you ruled that out.
0
 

Author Comment

by:karlpearson
ID: 40316627
Yep, first place I went with it. going to have to ask our US guys to take a look at their servers to see if they are running anything. They say not, but will have to ask again. Hopefully it's not something legacy that no one knows about....
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41043713
What was the solution?
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question