+ Post New Thread
Results 1 to 6 of 6
Windows Server 2000/2003 Thread, Gone ! Again ! Why ??? in Technical; I have a bit of an odd problem. I'm currently setting up a brand new server/domain, etc for one of ...
  1. #1

    Join Date
    Jun 2007
    Location
    Cumbria
    Posts
    148
    Thank Post
    11
    Thanked 12 Times in 11 Posts
    Rep Power
    18

    Gone ! Again ! Why ???

    I have a bit of an odd problem.

    I'm currently setting up a brand new server/domain, etc for one of our local feeder primarys. We're using Server 2003 (Standard ed, SP2), just a single domain controller. The new server is sitting on the same physical network as the old one.

    I have set up a 'Staff' security group in AD. I then add the staff members to this group - all fine and good.

    I then come in the next morning, log on to the server and discover that the Staff group has no members. This happens every day and I can't find anything in the event logs as to why this is happening.

    I have another security group with just a couple of staff members in it and these staff members STAY in the group.

    Totally baffled. HELP !

    Regards all

    Adrian

  2. #2
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    My guess would be that you have a script running somewhere that recreates the security group.

  3. Thanks to contink from:

    westleya (31st March 2009)

  4. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    The idea would be so set up auditing on user events then check the log in the morning to see what credentials are being used to remove them and when the removal is occouring.

  5. Thanks to SYNACK from:

    westleya (31st March 2009)

  6. #4

    Join Date
    Jun 2007
    Location
    Cumbria
    Posts
    148
    Thank Post
    11
    Thanked 12 Times in 11 Posts
    Rep Power
    18
    Quote Originally Posted by SYNACK View Post
    The idea would be so set up auditing on user events then check the log in the morning to see what credentials are being used to remove them and when the removal is occouring.
    It's just done it again, almost right in fron t of my eyes...

    However, looking in the Security event logs, I have a whole load of entries with Event ID 633 and 641 where it shows the following (example):

    Source: Security
    Category: Account Management
    Type: Success A
    Event ID: 633
    User: NT Authority\system
    Computer: Server01

    Security Enabled Global Group Member Removed
    Member Name: DN=Julie Sutton,OU=Staff,OU=school,DC=fairfieldjnr,DC=inter nal
    Member ID: FAIRFIELDJNR\juliesutton
    Target Account Name: staff
    Target Domain: FAIRFIELDJNR
    Target Account ID: FAIRFIELDJNR\Staff
    Caller User Name: SERVER01$
    Caller Domain: FAIRFIELDJNR
    Caller Logon ID: (0x0,0x1D76005)
    Privileges: _

    I get one for every staff member... Seems this thing's got a mind of it's own. I don't have any clever scripts, or indeed anything weird set up at all on this server...

    Odd, odd, odd.

  7. #5
    mossj's Avatar
    Join Date
    Dec 2008
    Location
    Leicester
    Posts
    1,466
    Thank Post
    157
    Thanked 189 Times in 174 Posts
    Rep Power
    52
    I had a simular problem, which happened because they where part of the 'Print Operator' group but it was only turning inheritance off, on every user every 15 - 25 mins , not removing groups (although I didn't check for that...).

    Could be worth a look? depending on how your applying them to the group.

    P.S I sorted it by changing the replication container (turned inheritance on) that AD stamps on them, then wait 15 - 20 mins and it will stamp the new container everywhere.

    P.S.S I think it happens to all 'builtin' groups hence why your not supposed to use them.
    Last edited by mossj; 31st March 2009 at 12:32 PM.

  8. Thanks to mossj from:

    westleya (31st March 2009)

  9. #6

    Join Date
    Jun 2007
    Location
    Cumbria
    Posts
    148
    Thank Post
    11
    Thanked 12 Times in 11 Posts
    Rep Power
    18
    OK, I don't THINK it's any of the above. Have simply deleted the security group and re-added it (and re-done the security on all the relevane folders).

    Will keep an eye on it this afternoon

SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •