| Author |
Message |
mbrunton
Guest
|
 Posted:
Tue Nov 08, 2005 5:50 pm Post subject:
group being added to builtin administrators |
|
|
I have two groups that I created to delegate control in AD. Now this weird
problem has happend twice. These two groups are automatically added to the
builtin group administrators in AD. Once this happens the users then have
full control in AD.
I removed the two groups from administrators and then next week they are
back in there. This causes all the accounts in these groups to have the
inherit rights box to become unchecked.
Does any know what could cause this? |
|
| Back to top |
|
 |
JPolicelli
Guest
|
| Posted:
Tue Nov 08, 2005 9:50 pm Post subject:
RE: group being added to builtin administrators |
|
|
You likely have the Administrators group defined as a restricted group in the
domain GPO.
Computer Configuration\Windows Settings\Security Settings\Restricted Groups
Allows an administrator to define two properties for security-sensitive
groups ("restricted" groups).
The two properties are "Members" and "Member Of." The Members list defines
who belongs and who does not belong to the restricted group. The Member Of
list specifies which other groups the restricted group belongs to.
When a restricted Group Policy is enforced, any current member of a
restricted group that is not on the Members list is removed. Any user on the
Members list who is not currently a member of the restricted group is added.
The Restricted Groups folder is available only in Group Policy objects
associated with domains, organizational units, and sites. The Restricted
Groups folder does not appear in the Local Computer Policy object.
If a restricted group is defined so that it has no members (i.e., the
Members list is empty), all members of the group are removed when the policy
is enforced on the system. If the Member Of list is empty, no changes are
made to any groups to which the restricted group belongs.
"mbrunton" wrote:
| Quote: | I have two groups that I created to delegate control in AD. Now this weird
problem has happend twice. These two groups are automatically added to the
builtin group administrators in AD. Once this happens the users then have
full control in AD.
I removed the two groups from administrators and then next week they are
back in there. This causes all the accounts in these groups to have the
inherit rights box to become unchecked.
Does any know what could cause this? |
|
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Tue Nov 08, 2005 9:50 pm Post subject:
Re: group being added to builtin administrators |
|
|
Sounds like you have a restricted groups policy in place:
-- http://www.msresource.net/content/view/45/47/
NOTE. If this is the case, be very careful modifying or removing a policy
of this kind. You might be better off just filtering the DCs out, and
manually modifying the affected domain groups.
Otherwise someone or something (script, application, etc) is readding them.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
mbrunton
Guest
|
| Posted:
Tue Nov 08, 2005 9:51 pm Post subject:
Re: group being added to builtin administrators |
|
|
I checked the restricted groups and that is not enabled.
Could a user that belongs to one of these groups and also belong to the
builtin administrator group cause this?
I looked in the event log and see that event id 684
User:NT AUTHORITY\ANONYMOUS LOGON
Category:Account Management
Set ACLs of members in administrators groups:
Target Account Name: 189reytemp
Then right after it
Event ID 642
User Account changed
Any thoughts?
"Paul Williams [MVP]" wrote:
| Quote: | Sounds like you have a restricted groups policy in place:
-- http://www.msresource.net/content/view/45/47/
NOTE. If this is the case, be very careful modifying or removing a policy
of this kind. You might be better off just filtering the DCs out, and
manually modifying the affected domain groups.
Otherwise someone or something (script, application, etc) is readding them.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
|
|
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Wed Nov 09, 2005 9:51 am Post subject:
Re: group being added to builtin administrators |
|
|
How often are you seeing the success audit?
Also, don't forget about adminSDHolder. This will re-stamp the DACL of any
user that is a member of a protected group if the two DACLs differ:
-- http://www.msresource.net/content/view/38/46/
I don't really understand what you mean by this:
| Quote: | Could a user that belongs to one of these groups and also belong to the
builtin administrator group cause this? |
Cause what? The user being added to administrators? No. That must be
manual of via startup script (see earlier article).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
mbrunton
Guest
|
| Posted:
Wed Nov 09, 2005 5:50 pm Post subject:
Re: group being added to builtin administrators |
|
|
This is the first time I have seen the succuss audit. But I believe it
happened around the same time last week. I just recently wrote a script to
show me the members of the administrators group everyday in a email, so I
know when this change happens.
adminSDHolder - All these members that were once members of Domain ADmins.
I ran the script that changes the adminSDholder back to 0. So now they have
the inheirt rights box checked. But it is not users being moved, it is a
group being added to the builtin administrators.
To clarify "Could a user that belongs to one of these groups and also belong
to the
builtin administrator group cause this?" A user belongs GroupA and GroupB.
GroupA is a member of buitlin Administrators. GroupB is a standard security
group. Could this cause GroupB to be added to the buitlin Administrators
group?
I don't believe there are any scripts running, because these groups have
just been created. But I will check again.
"Paul Williams [MVP]" wrote:
| Quote: | How often are you seeing the success audit?
Also, don't forget about adminSDHolder. This will re-stamp the DACL of any
user that is a member of a protected group if the two DACLs differ:
-- http://www.msresource.net/content/view/38/46/
I don't really understand what you mean by this:
Could a user that belongs to one of these groups and also belong to the
builtin administrator group cause this?
Cause what? The user being added to administrators? No. That must be
manual of via startup script (see earlier article).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
|
|
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Thu Nov 10, 2005 1:51 am Post subject:
Re: group being added to builtin administrators |
|
|
| Quote: | A user belongs GroupA and GroupB. GroupA is a member of buitlin
Administrators. GroupB is a standard security group. Could this cause
GroupB to be added to the buitlin Administrators group?
|
No. The user in question would have the administrators SID in his access
token, but there is no way the non-admin group would get added into there.
If not restricted groups or script, this must be a user, service, app or
rogue app doing this.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Thu Nov 10, 2005 5:51 pm Post subject:
Re: group being added to builtin administrators |
|
|
Yeah, that'll do it. I've seen similar issues with restricted groups
policies, because some psycho moved a DC into a regional OU <g>
Glad you got it sorted! No worries re. the help.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
mbrunton
Guest
|
| Posted:
Thu Nov 10, 2005 5:51 pm Post subject:
Re: group being added to builtin administrators |
|
|
You were right.
We have a weekly SMS script that runs on every server adding these two
groups to the local admins group. Since this included the domain
controllers, it caused this problem.
Thanks for you help on this.
"Paul Williams [MVP]" wrote:
| Quote: | A user belongs GroupA and GroupB. GroupA is a member of buitlin
Administrators. GroupB is a standard security group. Could this cause
GroupB to be added to the buitlin Administrators group?
No. The user in question would have the administrators SID in his access
token, but there is no way the non-admin group would get added into there.
If not restricted groups or script, this must be a user, service, app or
rogue app doing this.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in