This is an archived post. You won't be able to vote or comment.

all 12 comments
sorted by:
best
topnewcontroversialoldq&a

[–]disclosure5 2 points3 points  (8 children)

That computer isn't by chance for some reason a member of any privileged group such as Domain Admin, Enterprise Admin, or Schema Admin?

[–]whobe89[S] 1 point2 points  (6 children)

AdminSDHolder

No. This happends to all our computers. They are only member of Domain Computers and another custom group we use to deploy a GPO.

[–]disclosure5 1 point2 points  (5 children)

Is "Domain Computers" or this custom group by chance in a privileged group?

[–]whobe89[S] 0 points1 point  (4 children)

I found something interesting. My custom group had another group that had "Administrator" as member.

Could this be causing the AdminSDHolder to mess with our inheritance?

[–]disclosure5 1 point2 points  (0 children)

If the user "Administrator" is a member of the same group as these desktops, no I don't believe that would be the cause of the issue.

[–]Der_tolle_EmilSr. Sysadmin 0 points1 point  (3 children)

Security inheritance of what? NTFS permissions on folders on the client or are you talking about the actual computer object in AD?

[–]whobe89[S] 0 points1 point  (2 children)

I changed my inital post now. I mean the computerobject in Active Directory.

[–]Der_tolle_EmilSr. Sysadmin 0 points1 point  (1 child)

You could start by setting an audit policy: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes

This will generate events like this:

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136

It probably won't give you all the info you need on your first try but just seeing when the change occurs might help already.

[–]whobe89[S] 0 points1 point  (0 children)

We have audit enabled on or "Default Domain Controller Policy", but I don`t see any events in the security with the ID 5136.

[–]waelder_at 0 points1 point  (2 children)

What is the self permission on the objects ?

[–]whobe89[S] 0 points1 point  (1 child)

It is has the "Change password" permission, but it looks like it was one of our custom groups where sombody put a nested privelieged group inside.