Gone ! Again ! Why ???
I have a bit of an odd problem.
I'm currently setting up a brand new server/domain, etc for one of our local feeder primarys. We're using Server 2003 (Standard ed, SP2), just a single domain controller. The new server is sitting on the same physical network as the old one.
I have set up a 'Staff' security group in AD. I then add the staff members to this group - all fine and good.
I then come in the next morning, log on to the server and discover that the Staff group has no members. This happens every day and I can't find anything in the event logs as to why this is happening.
I have another security group with just a couple of staff members in it and these staff members STAY in the group.
Totally baffled. HELP !
My guess would be that you have a script running somewhere that recreates the security group.
The idea would be so set up auditing on user events then check the log in the morning to see what credentials are being used to remove them and when the removal is occouring.
It's just done it again, almost right in fron t of my eyes...
Originally Posted by SYNACK
However, looking in the Security event logs, I have a whole load of entries with Event ID 633 and 641 where it shows the following (example):
Category: Account Management
Type: Success A
Event ID: 633
User: NT Authority\system
Security Enabled Global Group Member Removed
Member Name: DN=Julie Sutton,OU=Staff,OU=school,DC=fairfieldjnr,DC=inter nal
Member ID: FAIRFIELDJNR\juliesutton
Target Account Name: staff
Target Domain: FAIRFIELDJNR
Target Account ID: FAIRFIELDJNR\Staff
Caller User Name: SERVER01$
Caller Domain: FAIRFIELDJNR
Caller Logon ID: (0x0,0x1D76005)
I get one for every staff member... Seems this thing's got a mind of it's own. I don't have any clever scripts, or indeed anything weird set up at all on this server...
Odd, odd, odd.
I had a simular problem, which happened because they where part of the 'Print Operator' group but it was only turning inheritance off, on every user every 15 - 25 mins , not removing groups (although I didn't check for that...).
Could be worth a look? depending on how your applying them to the group.
P.S I sorted it by changing the replication container (turned inheritance on) that AD stamps on them, then wait 15 - 20 mins and it will stamp the new container everywhere.
P.S.S I think it happens to all 'builtin' groups hence why your not supposed to use them.
OK, I don't THINK it's any of the above. Have simply deleted the security group and re-added it (and re-done the security on all the relevane folders).
Will keep an eye on it this afternoon :)