flyfishMemberApril 28, 2005 at 9:59 am #103065
I have a global security group in a windows 2003 AD environment, we have 2 dc’s, I have added to users to a group and there are 5 users in this group. In the morning 2 of the users are gone from the group. I follow the steps of adding them in and the next morning they are gone. I have auditing enabled for both success and failure for group changes and there are no entries which from my reading should be eventid 633. I think this may be a replication issue with our AD. Any thoughts on this or how would a person go about looking closer into the AD part.
emjay653MemberApril 28, 2005 at 10:56 am #235042
When you add the users to the group, check that both DCs are showing the same users in the group.
Are there any other DCs higher up the tree?
flyfishMemberApril 28, 2005 at 11:14 am #235463
I have checked that when I add the users they are vissible on both servers and the group look correct at that time. We do not have a parent domain above this one that the group exists in.
emjay653MemberApril 28, 2005 at 12:31 pm #235044
Is it the same two users that are gone every time? Have you tried adding a completely different user as a test to see if they remain?
LincFuMemberApril 28, 2005 at 12:56 pm #231430
emjay’s question is good. If it is the same two users, what other groups are they members of? Even if it’s not the same users, cross-checking the group membership for each user you’re trying to add to the new group would be a good way to troubleshoot the problem.
wkasdoMemberApril 29, 2005 at 5:04 am #224786
I can think of only one likely reason why this is happening: you have a GPO that defines the membership of that particular group.
Replication seems very unlikely to me, especially if you are running in W2003 forest mode.
karabaxMemberMay 3, 2005 at 11:08 am #235316
I would also check a replication log and see if you can find anything there.
chrisMemberMay 3, 2005 at 11:53 pm #225418
are these security groups mail-enabled?
does someone have write permissions on these groups?
i’ve seen it many times that someone had created a security group, later mail-enabled it because the department wanted to use it as a DL as well and given a user the permissions to manage the group. you’ll see a user with write permissions under the “security” tab of this group.
what usually happens is that the user is removing other users from the DL and is not aware that he/she is thereby also removing access rights to files and folders.
naturally, users call and complain they have lost access to certain folders.
You must be logged in to reply to this topic.