Announcement

Collapse
No announcement yet.

Users being removed from groups

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users being removed from groups

    I'm having a problem with users accounts randomly (as far as I can tell) being removed from security groups. It has been happening over the last few months with different users and different groups, although one specific user has been removed from the same group 4 times now. These users have been in these groups for years without a problem then suddenly they are removed.

    It is an AD 2003 environment with only 1 domain and 6 domain controllers. We only have 3 domain admins and none of us are changing the groups. None of our users are admins of any kind, not even local to their PC's.

    If anyone has experience or suggestions for troubleshooting this issue please let me know. Thanks.

    -Chris

  • #2
    Re: Users being removed from groups

    Enable auditing on your DCs -- Account Management
    See here for more info
    http://www.windowsecurity.com/articl...-Auditing.html

    And DONT trust your fellow admins!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Users being removed from groups

      I think I will enable auditing, thanks for the tip. Next time it happens hopefully I'll catch it in the logs.

      I know what you mean by not trusting my co-workers... we can pull some pretty mean pranks on eachother.

      Any other suggestions?

      Comment


      • #4
        Re: Users being removed from groups

        Gather information first, then act
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Users being removed from groups

          Auditing was setup and it works great. If I remove someone from a group it shows two log entries, one for the user account change and another for the group change.

          This morning I come in and another account has been removed from a security group. Perfect! I thought, I'll check the logs and see whats going on. Well the logs didn't show anything. No changes showed up for the user or group. I know this account change didn't happen before I enabled auditing, it should have showed up.

          Any other ideas?

          Comment


          • #6
            Re: Users being removed from groups

            Did you check ALL your DCs ?
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Users being removed from groups

              Silly me, I should have known to check all the DC's.

              OK, so I found the user responsible for removing people from groups. The problem is he is just a normal user account with no special permissions. He is in only a few security groups and I made sure none of those groups are nested inside other groups that might give him any kind of admin privileges. Also, this persons computer skills are very low, he has yet to master complicated tasks such as the "right click". I know he's not doing anything on purpose and I have things locked down so they can't even accidentally do any harm. (can't open a command prompt, can't open MMC's, can't run scripts and can't make registry changes)

              I will keep monitoring to see if it is the same user every time or if it changes. Other than that, I'm not sure what else to do.

              Comment


              • #8
                Re: Users being removed from groups

                Are the groups in question Distribution Groups?

                Comment


                • #9
                  Re: Users being removed from groups

                  Nope, security groups.

                  Comment


                  • #10
                    Re: Users being removed from groups

                    Darn it, I thought I was on to something.

                    Does the user have any clue?

                    Is the user forthcoming about any activities that they're performing that might be causing this?

                    Are these groups related to Sharepoint or any other enterprise application?

                    Comment


                    • #11
                      Re: Users being removed from groups

                      The user doesn't have any idea whats going on. We don't use Sharepoint. All he does is check his Exchange account via Outlook and work on documents in Word/Excel. Very basic stuff.

                      All our desktops and servers, including DC's, are fully patched via WSUS. We run Symantec Endpoint Protection 11.4 on all desktops and servers, definitions are updated hourly.

                      Comment


                      • #12
                        Re: Users being removed from groups

                        OK, I've found out how he's doing it:

                        A little background first. I have security groups setup in AD mostly for basic file security and I have our logon script map network drives for people in certain groups. These security groups also have exchange accounts setup so you can send an email to it and everyone in the group gets the email. Basic stuff.

                        Here is what is happening. In Outlook 2003 you can search for users and groups to add as a recipient. (create new email and hit the "To" button) When looking through this list you can view the properties of groups and modify its members. Usually when you try to modify members you get an error message saying you don't have permission to modify... however if you are a member of that group it allows you to add or remove users.

                        So now the question is how do I stop that. It doesn't seem like this is default behavior so I'm assuming somewhere along the line someone changed a setting to allow this. Anyone have any ideas on what that setting would be?

                        Comment


                        • #13
                          Re: Users being removed from groups

                          It's funny. I though it was related to email enabled group membership. So in this case it's a mail enabled security group and not a distribution group. I'm not sure why it's happening though. I tried to tinker with my distribution group membership earlier today while I was pondering this issue and I was not able to modify the members as you stated. Somewhere the user has more Exchange permissions than they should. Look at the security tab on the group and look at Exchange delegation to see if that gives you a clue.

                          Comment


                          • #14
                            Re: Users being removed from groups

                            OK, I got it completely figured out. The story is as follows:

                            Back in January 2006 there was a hotfix that screwed up users ability to edit Outlook delegates. (kb913696 - bottom of page) To fix this you had to go to each user account in AD and check "Write Personal Information" for Self permissions. Easy enough, just takes a little time to go through all the user accounts.

                            Well, someone got smart and decided to set the Self permissions at the root of our domain and have them propagate to all child objects. Easier than doing them one at a time right? Well they didn't think about would happen with those settings applied to security groups. With those Self permissions set users are able to change security group memberships (via Outlook) for groups they are a member of. Oops!

                            So I think I've got everything all fixed now. I've done testing and everything is working as it should. Thanks for everyone's help.

                            Comment


                            • #15
                              Re: Users being removed from groups

                              So it did turn out that users had more permissions than they should. Glad you got it sorted and nice detective work.

                              Comment

                              Working...
                              X