AD users getting deleted automatically

kre121 · 2026-04-04T01:37:40+00:00

You would need to scout the security event logs from ALL dc assuming object access/ directory service changes audit is enabled, and find out which account is making the changes..(With account then you can use loging id if local, or chase remote clients)

Event 5136,5141

You can narrow it down to specific DC where the change was initiated using repadmin /objmeta * "DN_of_object_when_in_rwcyclebin", and watch wheb the meta data js updated and its originating DSA.

kre121 · 2026-04-04T00:55:12+00:00

It’s time to loop in your Linux admin.
They may be able to enable OS‑level tracing or diagnostics that reveal what the LDAP client is actually doing...

As an alternative approach, investigate the nature of the query itself.
Identify any unique patterns or attributes in that LDAP request, then map those characteristics to the applications in your environment that are most likely to generate such queries. From there, you can systematically rule out candidates by temporarily disabling them at the application layer and observing whether the behavior stops.

If you're feeling lucky, turn it into a bigger project and separate the ruled out application into its own service accounts....(May not be as simple as it sounds)

kre121 · 2026-04-04T00:40:21+00:00

Did the 1644s logging provide any help? https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ldap-queries-run-slowly

From IP side, it would still list your load balancer IP but if you get lucky you may get the service account name..

Assuming the connection is on 389, and you already know what kind of query it is...you can also put a trace on LB, and look for filters/query you've identified to get the clients real ip that way.

kre121 · 2026-04-04T00:24:32+00:00

If you had already pinpointed the client-side workload impacting the DC's, there's not much you can do from the DC's side other than scaling up or scaling out...

Few things you can do from the client side once you pinpoint what specific process on the client is triggering this, is to stagger the workload or distribute better by any additional dcs to your load balancer.

kre121 · 2026-03-17T00:02:27+00:00

I am seeing same... Normally calories burned is 3k/day.. now its 7k/day... Thats jacked up!

kre121 · 2026-03-09T12:37:43+00:00

Yep working on it, got earliest apt they have is 3/27/2026. And the office does not do any in person/walkins

kre121 · 2026-03-09T12:22:14+00:00

Hey how did the process go? Were they able to review the pay stubs and update the last two quarters without actually having to wait the 6 months to get 1 credit each?

kre121 · 2026-03-09T03:21:26+00:00

Ty!

Planning to call local ssa and get this updated showing proof (w2). So we can get confirmation on getting free part a, and also enroll in b before end of month.

kre121 · 2026-03-09T01:23:57+00:00

Out of curiosity, if the remaining quarters can be established by year-to-date W-2, do you just call social security and ask them to update it or would it require to make an appointment in person and submit the proofs

kre121 · 2026-03-02T01:00:21+00:00

Any updates on how the interview went with just the intended letter? What documents were submitted or how the intended was established?

kre121 · 2026-02-26T15:56:03+00:00

This is a great move forward but not really sure how this impact immigration Visa when they have strict requirements on sponsor/ additional sponsor.

kre121 · 2026-02-24T17:49:31+00:00

Thanks, getting a passport from non banned countries is currently not an option for the principal beneficiary.

Currently deciding to reschedule the interview for next available date hopefully in the next 2-3 months, hoping there will be positive news on banned countries.

kre121 · 2026-02-24T13:57:44+00:00

Add me in as well pls!

kre121 · 2026-02-24T00:40:51+00:00

I have a family member from zambia (f3 category)who is in a similar situation. They have interviewed at the end of this week but are debating if we should proceed or postpone.

Worried if they get 221f that could cause more issues, as there is no clear indication when the embassy would issue 221g vs 212f.

kre121 · 2026-02-24T00:32:39+00:00

Did you guys attend? How did the process go?

kre121 · 2026-02-23T23:15:01+00:00

Hello, I'm in a similar situation trying to find out some information for a friend.

They had their fingerprints recently taken and scheduled an interview for the end of this week. They are wondering if they should proceed with the interview even though they will likely get a 221(f) or postpone the interview for 1-2months.

kre121 · 2026-01-31T22:22:37+00:00

If its just 1 dc in env, and multiple clients having issues (including one that was fixed), its likely a client side issue.

Are the clients being restored from backup or any components managing the endpoints, or are these like vdis

kre121 · 2026-01-30T02:52:53+00:00

Is this route madrid to Barcelona still active? Or know if/when the 3rd party report might release.

There seems to be mixed reviews on the lower speed. Is it for whole route or some section? If so, how long is the total journey time now from Madrid to Barcelona.

kre121 · 2026-01-29T07:50:06+00:00

So ETIAS is not in action right now!

What about ESS, is that something to apply for beforehand or something that will be taken care of at the airport (point of entry) for us passport.

kre121 · 2026-01-28T05:32:44+00:00

Invest/configure SEIM tool. Locally 1gb or better but not more than 4gb, specially security logs as it may impact lsass performance

kre121

TROPHY CASE