We set up a rule to grab the deletion events.... They tend to scroll off our log in about a day so there are no reference events from which to grab this info from...yet. Thanks though.
I'm not sure if we've had success yet with viewing the deleted objects via adrestore (sysinternals tool, thanks Mark R), but I sent them info on how to do so along with a screen shot of what they should see. Went through a KB article about using ldp to do it. Yuck! What a mess. I'd include a link to that but I'd rather save the innocents from that mess. I'm sure there are other good ways to do it but... Step 27) "... copy the long number in front of DELETED OBJECTS after the second colon up to the 3rd colon and paste it..." ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Wednesday, January 17, 2007 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process For the edification of some on the list who might not be familiar with tracking down the perpetrators of an object deletion: You should take a look at the object metadata for those deleted computer accounts. The DC where the deletion occurred will be listed as the DC where the name attribute was changed. Keep note of the exact timestamp. Then you need to check that DC for deletion events in the security event log, assuming you have those turned on. That should get you info on what account did the deletion. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Wednesday, January 17, 2007 7:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Al and Steve. Oh and Steve, you forgot the name of the Shared Computer Toolkit? J Such a nice tool... Of course, Vista's new multiple local GPO sorta almost makes it obsolete, but it's still a nice tool... ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 6:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process Since I'm 2 points down.... XPe machines typically do same. Oddly the machines described are no different than how many of the XPe machines are setup so using the same docs to disable the password changes and any other changes that you may deem as similar enough to be useful. I strongly suggest checking out the configuration docs on products such as WYSE or iGEL to see if those types of settings and control apply to you now that you've deployed DF. Microsoft may have some similar docs as well I suppose :) On 1/16/07, Steve Linehan <[EMAIL PROTECTED]> wrote: Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 16, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer "resource" domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn <[EMAIL PROTECTED]> wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them... Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous From: mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that "ate" the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too.... On 1/16/07, Rich Milburn <[EMAIL PROTECTED]> wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset to the old one too. But the issues are not isolated to these accounts. We do not have an automated process set up to delete these accounts. This is Server 2003, non-SP1 (that's scheduled for this Friday). There are no discovered replication errors, they have checked for those. We only have 6 DCs, two each for a root and two child domains, and this is happening in one of the child domains. Here is an example event that we are getting. If anyone has seen this before or has any ideas, we'll be most appreciative. Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5723 Date: 1/16/2007 Time: 9:21:28 AM User: N/A Computer: CORPDC2 Description: The session setup from computer 'ACCT-95XDP11' failed because the security database does not contain a trust account 'ACCT-95XDP11$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'ACCT-95XDP11$' is a legitimate machine account for the computer 'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account, the following action should be taken on 'ACCT-95XDP11': If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with 'ACCT-95XDP11$' should be deleted. If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined from the domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 8b 01 00 c0 ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx ________________________________ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ________________________________ ________________________________ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ________________________________ ________________________________ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ________________________________ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
