It sounds like they don't understand the functionality. You are very fortunate they didn't lock you out entirely as it isn't difficult at all to entirely empty out high level groups (including the built-in administrator account) and do a DOS on all your admin accounts effectively locking you out of your entire AD. That's one of the reason they changed the behavior in the W2KSP4 era and experienced admins will tell you to use restricted groups very judiciously and only if you completely understand the ramifications..
From: Phil Hershey [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2008 12:55 PM To: Active Directory Admin Issues Subject: RE: Members Disappearing from Group It was apparently another admin who thought about locking down the Domain Admins group in the Default Domain policy Restricted Groups setting. He put the group in there but then failed to put any users in the group. Thus we'd add back the appropriate users, and as soon as the policy refreshed, out they came again. I'll have to track this person down via the logs. - Philip This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 11:53 AM To: Active Directory Admin Issues Subject: RE: Members Disappearing from Group Correct, as the name implies it manages SD's (Security Descriptors) of objects in the protected groups. It has nothing to do with altering group membership From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 9:18 AM To: Active Directory Admin Issues Subject: RE: Members Disappearing from Group AdminSDHolder issues usually manifest as AD permissions disappearing. ________________________________ From: Turner, Robert D. Jr [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 10:49 AM To: Active Directory Admin Issues Subject: RE: Members Disappearing from Group There is also something called AdminDSHolder or is it AdminSDHolder. Basically, it sees a lesser (than DA) with delegated access to the user object that is a DA and does not like that. I can't remember if it takes away DA or does something else. It was over a year ago when I ran into it. ________________________________ From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 11:43 AM To: Active Directory Admin Issues Subject: RE: Members Disappearing from Group Group policy can do this. ________________________________ From: Phil Hershey [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 10:39 AM To: Active Directory Admin Issues Subject: Members Disappearing from Group We recently staring experiencing an issue with members disappearing from groups to which they normally belong. Today it was 4 users suddenly no longer being members of the Domain Admins group. Any ideas what might be going on? I'm reasonably sure I don't have a rogue administrator screwing with me. I'm concerned about general AD corruption or even a root kit. Thanks. Phil Hershey Carpinteria, CA ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute and delete the original message. Please notify the sender by E-Mail at the address shown. Thank you for your compliance. ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
