Solved

Active Directory User permissions

Posted on 2014-09-10
11
33 Views
Last Modified: 2015-10-16
All,
Got a really odd issue in AD. We are about to deploy Lync and have found that around 50% of all user accounts are set to not inherit permissions from the parent. We change this and less than an hour later it is unchecked again, making it impossible to apply permissions and making changes on these accounts consistently. AdminCount on these accounts is either set to 0 or null. they are not members of protected groups and have never been. They are not members of groups that are nested into protected groups either.
The users do not seem to have any commonality either, different departments, different sites, different countries. two people sat next to each other started almost at the same time and one is fine and the other is not.
Has anyone seen this before. To me it looks as though there is an ldap query running somewhere that is selecting this group of users, based on god knows what criteria, and applying permissions and removing inheritence. But as this is only affecting our European domain and not Asia or North America then something must be running, but I cannot find what or where.
I'm at a loss on my old friend google I cannot find anything at all, I am hoping however you guys might be able to help out.
0
Comment
Question by:karlpearson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40315643
Hi.

Those objects have ACLs and ACLs can be audited. Then you would be able to look at the security logs and see who is changing those ACLs the next time.
0
 

Author Comment

by:karlpearson
ID: 40316391
Cheers McKnife, we have 250,000 security events running through each domain controller every hour. I have checked the inherited permissions on a user account, and searched through one of the domain controllers trying to find the change, but have been unsuccessful. I believe auditing is switched on to monitor that change, but I cannot find it.
I realise that I am essentially asking for help to find something that is running on something and it's somewhere, but I'm not sure how much more my desk can take from me smacking my head off it....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40316401
You need to filter results.
Also make sure that auditing is turned on for that object you change the ACL of.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:karlpearson
ID: 40316416
I'm pretty sure it is and all I can see in audit logs is, the eventid is 4738 which is also the same as password resets and any account management activities, this doesn't really identify this as the change that I made so that I can find this through a filter.:-
A user account was changed.

Subject:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            XXX
      Logon ID:            0xc3XXXXXX

Target Account:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            xxx

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
      Account Expires:            -
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40316429
Karl, take a test object (a user object), enable auditing on it. Change its ACL and take note of the exact time when you do. Next, open the server's sec eventlog and see what even was written at that point in time.
0
 

Author Comment

by:karlpearson
ID: 40316463
That is what is essentially posted above. Sorry should have explained that. It tells me that a change has been made but it does not tell me what the change was, so I cannot find it through a filter.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40316484
But it tells you who did that change. And that alone is useful, isn't it?
0
 

Author Comment

by:karlpearson
ID: 40316556
It is yes, thank you. It's just if whatever is making the change is doing it as a user account then it becomes harder to spot. if it is a computer account e.g. a domain controller making the change then it will stand out like a sore thumb. I was hoping that there might be some other way of doing this, but it looks as though I am consigned to mooching through all of the domain controllers (hoping it's one of them) checking their logs.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40316613
Right.
I must say, I have never heard such a thing. Sounded at once like protected groups, but you ruled that out.
0
 

Author Comment

by:karlpearson
ID: 40316627
Yep, first place I went with it. going to have to ask our US guys to take a look at their servers to see if they are running anything. They say not, but will have to ask again. Hopefully it's not something legacy that no one knows about....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41043713
What was the solution?
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Configuring Remote Assistance for use with SCCM
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question