users disappear from global group

Home Forums Microsoft Networking and Management Services Active Directory users disappear from global group

This topic contains 7 replies, has 6 voices, and was last updated by Avatar flyfish 14 years, 5 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • Avatar
    flyfish
    Member
    #103065

    I have a global security group in a windows 2003 AD environment, we have 2 dc’s, I have added to users to a group and there are 5 users in this group. In the morning 2 of the users are gone from the group. I follow the steps of adding them in and the next morning they are gone. I have auditing enabled for both success and failure for group changes and there are no entries which from my reading should be eventid 633. I think this may be a replication issue with our AD. Any thoughts on this or how would a person go about looking closer into the AD part.

    Avatar
    emjay653
    Member
    #235042

    When you add the users to the group, check that both DCs are showing the same users in the group.

    Are there any other DCs higher up the tree?

    Avatar
    flyfish
    Member
    #235463

    I have checked that when I add the users they are vissible on both servers and the group look correct at that time. We do not have a parent domain above this one that the group exists in.

    Avatar
    emjay653
    Member
    #235044

    Is it the same two users that are gone every time? Have you tried adding a completely different user as a test to see if they remain?

    Avatar
    LincFu
    Member
    #231430

    emjay’s question is good. If it is the same two users, what other groups are they members of? Even if it’s not the same users, cross-checking the group membership for each user you’re trying to add to the new group would be a good way to troubleshoot the problem.

    Avatar
    wkasdo
    Member
    #224786

    I can think of only one likely reason why this is happening: you have a GPO that defines the membership of that particular group.

    Replication seems very unlikely to me, especially if you are running in W2003 forest mode.

    Avatar
    karabax
    Member
    #235316

    I would also check a replication log and see if you can find anything there.

    Avatar
    chris
    Member
    #225418

    are these security groups mail-enabled?
    does someone have write permissions on these groups?

    i’ve seen it many times that someone had created a security group, later mail-enabled it because the department wanted to use it as a DL as well and given a user the permissions to manage the group. you’ll see a user with write permissions under the “security” tab of this group.
    what usually happens is that the user is removing other users from the DL and is not aware that he/she is thereby also removing access rights to files and folders.
    naturally, users call and complain they have lost access to certain folders.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.