we have a few w2k8 machines that are members of a particular domain. their local administrators groups contain quite a few domain accounts (15 or so). one accout in particular, which we can't see anything different about it when compared to the others, keeps getting removed from the local admins group literally about 5 minutes after it's added.

account management auditing is turned on, the SEL just logs that a user was removed by the local system account:

Quote :

" A member was removed from a security-enabled local group. Subject: Security ID: SYSTEM Account Name: (the computer name)$ Account Domain: (the domain) Logon ID: 0x3e7 Member: Security ID: (the domain)\(the account that keeps getting removed) Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - "

if you go back a few entries, there was a connection made to the IPC share from the local system account, but there's no process information other than lsass.exe.

i checked the RSoP for the computer and there's nothing in the GP aggregate that would be causing this (restricted groups, etc.). nothing in the logon scripts that would do it either.

tcpview just shows the SMB over TCP connection to the IPC share.

there are no other events in any other system logs that correlate with the time of the removal.

any ideas? i'm completely stumped...

edit: we also keep seeing these every 10 minutes or so (event id 4735):

Quote :

" A security-enabled local group was changed. Subject: Security ID: SYSTEM Account Name: (the computer name)$ Account Domain: (the domain) Logon ID: 0x3e7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - "

and i can't figure out what the hell it's doing - it doesn't look like it changed anything.

7/20/2009 11:16:01 AM

plz2halp

7/21/2009 1:37:48 AM

1) If you disconnect from network, same behavior occur?
2) If you remove from domain, same behavior occur?
3) If you remove from domain, and readd, same behavior occur?
4) Does MS Charge to open formal support tickets?

7/21/2009 8:06:58 AM

I would have called it group policy, but you stated that you checked that.

Just to be sure I would do:

Quote :

"1) If you disconnect from network, same behavior occur?"

And reboot it a few times after adding a user to the local admins group.

I saw some stuff googling suggesting it could by an SID issue, but I wouldn't go generating new SIDs until you totally eliminate group policy from the equation. Plus I'd imagine you'd get some sort of errors or failure audits if it really were an SID issue.

7/21/2009 9:46:59 AM

Quote :

"1) If you disconnect from network, same behavior occur? 2) If you remove from domain, same behavior occur? 3) If you remove from domain, and readd, same behavior occur? 4) Does MS Charge to open formal support tickets?"

1) haven't tried that, but good idea. why didn't i think of that? whatever is doing it, the request to \IPC$ is coming from the loopback interface, so i doubt it will change anything.
2) haven't tried that either.
3) ditto, but if it's a SID issue, that should fix it (or at least reveal it). worth a shot. i'll try it in a bit.
4) not for us, but i'd rather not spend all day on the phone with microsoft if i don't have to that's my last resort.

Quote :

"I would have called it group policy, but you stated that you checked that."

yep, that was my first thought.

Quote :

"I saw some stuff googling suggesting it could by an SID issue, but I wouldn't go generating new SIDs until you totally eliminate group policy from the equation. Plus I'd imagine you'd get some sort of errors or failure audits if it really were an SID issue."

that's what i saw too from my googling, but yeah - there would be failure audits all over the place, especially considering we have just about every auditing option turned on... and we'd be seeing much more funky problems than this if that were the case.


i don't think it makes any difference, but these machines are part of a MS HPC compute cluster. i checked the note template and there's nothing in there that would be specifying this.

also, even stranger: whatever process is removing this account from the group has also started sporadically ADDING IT BACK. i'm about to just surrender and call MS, who probably won't help (and will say to just restage the machines)... but oh well .

thanks for the help.

7/21/2009 9:59:58 AM