No announcement yet.

users disappear from global group

  • Filter
  • Time
  • Show
Clear All
new posts

  • users disappear from global group

    I have a global security group in a windows 2003 AD environment, we have 2 dc's, I have added to users to a group and there are 5 users in this group. In the morning 2 of the users are gone from the group. I follow the steps of adding them in and the next morning they are gone. I have auditing enabled for both success and failure for group changes and there are no entries which from my reading should be eventid 633. I think this may be a replication issue with our AD. Any thoughts on this or how would a person go about looking closer into the AD part.

  • #2
    When you add the users to the group, check that both DCs are showing the same users in the group.

    Are there any other DCs higher up the tree?


    • #3
      I have checked that when I add the users they are vissible on both servers and the group look correct at that time. We do not have a parent domain above this one that the group exists in.


      • #4
        Is it the same two users that are gone every time? Have you tried adding a completely different user as a test to see if they remain?


        • #5
          emjay's question is good. If it is the same two users, what other groups are they members of? Even if it's not the same users, cross-checking the group membership for each user you're trying to add to the new group would be a good way to troubleshoot the problem.

          Proven e-Commerce Solutions
          340 N. 12th St.
          Suite 200
          Philadelphia PA 19107


          • #6
            I can think of only one likely reason why this is happening: you have a GPO that defines the membership of that particular group.

            Replication seems very unlikely to me, especially if you are running in W2003 forest mode.


            • #7
              I would also check a replication log and see if you can find anything there.


              • #8
                are these security groups mail-enabled?
                does someone have write permissions on these groups?

                i've seen it many times that someone had created a security group, later mail-enabled it because the department wanted to use it as a DL as well and given a user the permissions to manage the group. you'll see a user with write permissions under the "security" tab of this group.
                what usually happens is that the user is removing other users from the DL and is not aware that he/she is thereby also removing access rights to files and folders.
                naturally, users call and complain they have lost access to certain folders.
                Yesterday we stood at the edge of the abyss. Today we are a step further...