A strange case of Admin group memberships

After a bit of a break, we are back on the MSPFE blog with a field story yet again. This time, Saji John, a Premier Field Engineer from India describes a strange scenario which he helped troubleshoot.


Hello Everyone! My area of expertise is Active Directory. The intent of this blog is to share an interesting and strange issue which I had encountered during one of my customer visits.

Symptoms

As per the customer, a global AD group – let’s call it Desktop Admins - was getting added to the built-in Administrators group of the domain automatically. They had already tried removing the Desktop Admins from the Domain Admins group, but it kept getting added again automatically.

The initial thought was that someone had access to the domain admin credentials and somehow was gaining administrative access to the domain. The customer was keen on finding out the root cause.

Investigations

After some initial discussion with the customer, found that they are using the ‘restricted group’ setting to add the Desktop Admins group to the Local Administrators group on the client machine:

Restricted Groups

This group policy was in turn linked to the Desktops Organization Unit (OU). But when I checked, I found that the group policy was not linked to the domain head. Next, I checked if the group policy was linked to any other OU, except the Desktops OU; I did not find any such links.

So, there was some way in which this group policy was applying to the specific domain controller in addition to the desktop client machines. I did a quick check in the test environment and concluded that, if this group policy applies to the domain controller, the ‘Desktop Admins’ group will get added to the built-in administrators group of the domain.

But then, this group policy was not linked to the Domain Controllers OU. So, how was this group policy apply to the domain controller, if it is not linked to the domain head nor the Domain Controllers OU?

Next, when I asked the customer how many domain controllers we had, it was 28. But then when we checked the domain controllers OU and found that the total number of computer accounts were 27.

Eureka!

So we searched for the missing computer account in the domain controllers OU and found it to be moved to the Desktop OU, where the group policy was linked. Voila!! There’s the issue!

Finally we moved the domain controller computer account back to the Domain Controllers OU’s and the issue stop occurring.

In conclusion, sometimes an open mind and out-of-box thinking is necessary to resolve the weirdest of problems.

Thank you for your attention and we would love to hear your comments and feedback.


Original content from Saji John; posted by MSPFE Editor Arvind Shyamsundar