RE: [ActiveDir] Computer accounts getting deleted by unknown process

[Akomolafe, Deji]

I had this issue a long time back with a similar product made by a previous 
employer. I won't go back into the details, but the problem is that computer 
passwords were being restored to previous states that no longer match those on 
the DCs at the present state. A manual or scripted rejoin is usually the cure. 
However, the computer objects themselves were not actually cleaned up, unlike 
in the case that Rich is now describing. Rich needs to eye-ball the directory 
itself and see whether or not the object actually disappeared when the problem 
manifests itself. Third-party eyes relaying information to the troubleshooter - 
not always reliable.

Sincerely, 
  _____                                
 (, /  |  /)               /)     /)   
   /---| (/_  ______   ___// _   //  _ 
) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/                             /)      
                              (/       
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Al Mulnick
Sent: Tue 1/16/2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process


In that case, you'll want to check out Steve's post and follow some of that advice.  Since it's a computer "resource" domain topology, it should be relatively low traffic and easier to spot. 

Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? 


On 1/16/07, Rich Milburn <[EMAIL PROTECTED]> wrote: 
Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). 

I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them. 

Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. 

-----------------------------------------------------------------------
Rich Milburn 
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc. 
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
"I love the smell of red herrings in the morning" - anonymous


From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process 

What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. 

I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them.  This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) 

I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that "ate" the DNS zones, but that's not what you describe. 

So I'm interested to know what's unique about the domain it occurs in.  I'm interested to know why it doesn't occur in the other domains? 

SP1 is highly recommended of course - lots of bug fixes and additional security changes. 

I'm not familiar with the client side apps you mention, but if the environment 
I work in currently is any indication old computer accounts don't become 
suicidal without provocation.  Shame too....



On 1/16/07, Rich Milburn <[EMAIL PROTECTED]> wrote:
I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting 
deleted - most of them are ones that can't update their passwords
because they have been turned off, or in the case of a group of users,
their computers have Deep Freeze running on them, and those computers
update their passwords but apparently the computers reset when they are
rebooted so the password is reset to the old one too.  But the issues
are not isolated to these accounts.

We do not have an automated process set up to delete these accounts. 

This is Server 2003, non-SP1 (that's scheduled for this Friday).  There
are no discovered replication errors, they have checked for those.  We 
only have 6 DCs, two each for a root and two child domains, and this is 
happening in one of the child domains.

Here is an example event that we are getting.  If anyone has seen this
before or has any ideas, we'll be most appreciative. 

Event Type:       Error
Event Source:    NETLOGON 
Event Category: None
Event ID:           5723
Date:                1/16/2007
Time:                9:21:28 AM
User:                N/A
Computer:         CORPDC2 
Description:
The session setup from computer 'ACCT-95XDP11' failed because the 
security database does not contain a trust account 'ACCT-95XDP11$'
referenced by the specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer
and account, this may be a transient issue that doesn't require any 
action at this time. Otherwise, the following steps may be taken to 
resolve this problem:

If 'ACCT-95XDP11$' is a legitimate machine account for the computer
'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. 

If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the 
trust should be recreated.

Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account,
the following action should be taken on 'ACCT-95XDP11': 

If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with 
'ACCT-95XDP11$' should be deleted.

If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined
from the domain.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0

----------------------------------------------------------------------- 
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development 
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
---------------------------------------------------------------------- 
"I love the smell of red herrings in the morning" - anonymous 

-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments. 
This information is strictly confidential and may be subject to attorney-client 
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding, 
printing, copying, distribution, or using such information is strictly 
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message. 
Unauthorized interception of this e-mail is a violation of federal criminal law. 
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to 
or from this e-mail address may be stored on the Applebee's International, Inc. 
e-mail system.
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx



-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- 
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.