Solved

Active Directory User permissions

Posted on 2014-09-10
11
21 Views
Last Modified: 2015-10-16
All,
Got a really odd issue in AD. We are about to deploy Lync and have found that around 50% of all user accounts are set to not inherit permissions from the parent. We change this and less than an hour later it is unchecked again, making it impossible to apply permissions and making changes on these accounts consistently. AdminCount on these accounts is either set to 0 or null. they are not members of protected groups and have never been. They are not members of groups that are nested into protected groups either.
The users do not seem to have any commonality either, different departments, different sites, different countries. two people sat next to each other started almost at the same time and one is fine and the other is not.
Has anyone seen this before. To me it looks as though there is an ldap query running somewhere that is selecting this group of users, based on god knows what criteria, and applying permissions and removing inheritence. But as this is only affecting our European domain and not Asia or North America then something must be running, but I cannot find what or where.
I'm at a loss on my old friend google I cannot find anything at all, I am hoping however you guys might be able to help out.
0
Comment
Question by:karlpearson
  • 6
  • 5
11 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40315643
Hi.

Those objects have ACLs and ACLs can be audited. Then you would be able to look at the security logs and see who is changing those ACLs the next time.
0
 

Author Comment

by:karlpearson
ID: 40316391
Cheers McKnife, we have 250,000 security events running through each domain controller every hour. I have checked the inherited permissions on a user account, and searched through one of the domain controllers trying to find the change, but have been unsuccessful. I believe auditing is switched on to monitor that change, but I cannot find it.
I realise that I am essentially asking for help to find something that is running on something and it's somewhere, but I'm not sure how much more my desk can take from me smacking my head off it....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40316401
You need to filter results.
Also make sure that auditing is turned on for that object you change the ACL of.
0
 

Author Comment

by:karlpearson
ID: 40316416
I'm pretty sure it is and all I can see in audit logs is, the eventid is 4738 which is also the same as password resets and any account management activities, this doesn't really identify this as the change that I made so that I can find this through a filter.:-
A user account was changed.

Subject:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            XXX
      Logon ID:            0xc3XXXXXX

Target Account:
      Security ID:            XXXX\XXXXXXX
      Account Name:            XXXXXXX
      Account Domain:            xxx

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
      Account Expires:            -
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40316429
Karl, take a test object (a user object), enable auditing on it. Change its ACL and take note of the exact time when you do. Next, open the server's sec eventlog and see what even was written at that point in time.
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 

Author Comment

by:karlpearson
ID: 40316463
That is what is essentially posted above. Sorry should have explained that. It tells me that a change has been made but it does not tell me what the change was, so I cannot find it through a filter.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40316484
But it tells you who did that change. And that alone is useful, isn't it?
0
 

Author Comment

by:karlpearson
ID: 40316556
It is yes, thank you. It's just if whatever is making the change is doing it as a user account then it becomes harder to spot. if it is a computer account e.g. a domain controller making the change then it will stand out like a sore thumb. I was hoping that there might be some other way of doing this, but it looks as though I am consigned to mooching through all of the domain controllers (hoping it's one of them) checking their logs.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40316613
Right.
I must say, I have never heard such a thing. Sounded at once like protected groups, but you ruled that out.
0
 

Author Comment

by:karlpearson
ID: 40316627
Yep, first place I went with it. going to have to ask our US guys to take a look at their servers to see if they are running anything. They say not, but will have to ask again. Hopefully it's not something legacy that no one knows about....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41043713
What was the solution?
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Group policy not applying 5 28
Roaming profile & Office 365 3 31
lync 2013 7 32
Need help in modifying an existing script 5 10
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now