BrianP027MemberJun 15, 2015 at 11:34 am #165422
Having an issue with AD that’s driving me mad, perhaps someone has come across this before.
Some potentially relevant facts:
-Domain Functional Level 2008, Forest Functional Level 2003
-3 DC’s: Windows Server 2008 (virtual), Windows Server 2008 R2, Windows Server 2012 (virtual)
-Domain has two-way trust with another domain and one-way trust to another domain (our users can log into that domain’s machines, but not vice versa)
-We were using Microsoft Online Services for E-mail, but we’ve moved on to Office 365 with Directory Synchronization.
-In order to have our VPN appliance work with AD, we’ve added an attribute to the user schema, VPN-Access, which is a numerical value that translates on the appliance to a set of VPN rights. As far as I’m aware, there’s been no other changes to the user object Schema.
Within this domain, we have created new OUs for Computers, Users, and Groups, so we’re not using any of the default structure. We have our users in the Created OU For Users (call it COUFU for short), separated into sub-OUs based on role (COUFU-Employees, COUFU-Consultants, COUFU-Disabled, etc). We are trying to designate our new Helpdesk guy’s security group with permissions to create new, edit current, and reset password. We’ve used the Delegation Wizard to apply the correct permissions, and it appears to work (permissions appear in the DACL). However, a subset of our users have their DACLs reset automatically at certain intervals, and lock the Helpdesk back out again. They are not, however, resetting to system defaults: they’re resetting to a set list of permissions, which makes me think a past admin has something running that does this automatically. (No, I don’t have access to past admins).
I’ve sniffed for Group Policy that resets the permissions, but no dice. There are no scheduled tasks running on any of the 3 DC’s that I can see that would be doing this as well. And I don’t know where in the logs to look in order to see if any kind of script has been applied by the domain controller or the permissions have been changed.
So the questions:
-Is this a function of AD I don’t know about or don’t remember?
-When someone changes the DACL of a user object in AD, is it logged somewhere in Windows Event Viewer?
-If not, how would I find out who, what, where, and when this change of files is taking place?
You must be logged in to reply to this topic.