question

FernndezDavid-9884 avatar image
0 Votes"
FernndezDavid-9884 asked DaisyZhou-MSFT commented

AD - Distribution List delegated permissions

Hi,

I have many distribution lists in AD, but there is one of them that when removing permission inheritance, trying to delegate permissions or adding directly from security, after a few minutes the original permissions are restored.

Could you tell me what I can review?

Thanks

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT commented

Hello @FernndezDavid-9884,

Thank you for posting here.

What AD account or group did you make the permission changes?

If you make permission changes on protected AD account or group, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object every 60 minutes (by default).

We can see information below based on the links below.

SDProp is a process that runs every 60 minutes (by default) on the domain controller that holds the domain's PDC Emulator (PDCE). SDProp compares the permissions on the domain's AdminSDHolder object with the permissions on the protected accounts and groups in the domain. If the permissions on any of the protected accounts and groups do not match the permissions on the AdminSDHolder object, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object.

Additionally, permissions inheritance is disabled on protected groups and accounts, which means that even if the accounts and groups are moved to different locations in the directory, they do not inherit permissions from their new parent objects. Inheritance is disabled on the AdminSDHolder object so that permission changes to the parent objects do not change the permissions of AdminSDHolder.


90114-pro.png

For more information about AdminSDHolder and Protected Groups, please refer to links below.


Active Directory AdminSDHolder, Protected Groups and SDPROP
https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)?redirectedfrom=MSDN

Appendix C: Protected Accounts and Groups in Active Directory
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



pro.png (31.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Here is the solution.

The failing group is member of Print operators. So i disabled him from AdminSDHolder

0 Votes 0 ·

Hello @FernndezDavid-9884,
Thank you for your update and accepting my reply as answer. I am very glad that the information is helpful and the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Best Regards,
Daisy Zhou

1 Vote 1 ·
FernndezDavid-9884 avatar image
0 Votes"
FernndezDavid-9884 answered

Hi,

The problem is with a security group created by us named "IT Support" and is not a member of any groups that you indicate.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @FernndezDavid-9884,

Thank you for your update.

We can enable audit policy to check who changes the permissions.

Steps as below:

1.Enable audit policy via GPO (edit Default Domain Controller Policy or custom GPO linked to Domain Controllers OU )

Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy\Audit directory service access==》Success and Failure

Or use advanced audit policies (advanced audit policies will overwrite all legacy audit policies settings by default):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Access ==》Success and Failure
Audit Directory Service Changes==》Success and Failure


Tip: How to determine you configure Legacy audit policy or use advanced audit policies.
If the result of this command (auditpol /get /category:* ) shows any configured audit policies, it means that advanced audit policy settings are configured.

For example:
My AD environment has configured advanced audit policies.
90289-ad1.png


If you have never configured any advanced audit policies in your AD environment, then you can configure traditional audit policies.
If your AD environment has been configured with any advanced audit policy, then you must configure the advanced audit policy.


2.Click the group that permissions changed automatically, in your case is "IT support".
90267-g4.png

Click "Clear All" button
Principle: everyone
Type: All
Applies to: This object only
Permissions: Modify permissions

90255-gr2.png


3.Run gpupdate /force on DC.

4.If the permissions change again, please check the event viewer (such as 4662 and 4735).

It will log who change the permission on this specific group.

In my case, it is Domain Administrator.

90280-g1.png

90296-g2.png

90297-g3.png


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou




============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


ad1.png (29.3 KiB)
g4.png (47.7 KiB)
gr2.png (34.7 KiB)
g1.png (55.9 KiB)
g2.png (54.5 KiB)
g3.png (55.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.