AD Computer Accounts being Deleted Randomly

[Haynsey]

G'day,

FYI - this thread was created because I used an older thread to reply to. Meinolf Weber has already replied, see below at the end of my post.

Sorry for jumping into this thread with my own problem albeit very
similar to the OP's so I hope I can add something to it. If someone
has an issue I will create a new thread no worries.

We run a single 2003 native domain with 6 DC's. All clients are XP
SP2. I inherited this domain so I cannot speculate on how its initial
setup was done.

The issue we are experiencing is that random workstation accounts are
being deleted from AD and we don't know why. It occurs roughly once a
fortnight, it has not affected a server account yet and I believe it
is only occuring on computer accounts that are sitting inside one of
AD's OU's (We have multiple sites so depending on their site,
computers are organized into a particular OU) but I will need to
confirm this with my counterparts.

When the account is deleted, the workstation is not able to be used on
the domain. On logon, it says that the domian is unnavailable or the
account was deleted. Checking inside AD, you can verify the account no
longer exists.

I have enabled auditing on all 6 DC's. When the account is deleted, I
go through and check the last 24 hours but there is no mention of
event ID 647. I have also checked scheduled tasks that other admin's
may have enabled are there is nothing I found running against AD. I
would assume if a script was deleting these accounts, event ID 647
would pop up.

Google is not being cooperative either.

I will be running dcdiag on all DC's throughout the day user requests
permitting.

Is there another way I can find out how these accounts are being
deleted?
Is there something I'm missing?
Any thoughts?

Any help would be greatly appreciated.

Matt




*** - Begin Reply from Meinolf Weber - ***

Hello Haynsey,

As this posting is already from 08/2009 it is always better to create a new one. Anyway, as stated in the beginning for the OP, a computer account will NOT be deleted automatically, except some scripts are trigger this.

What auditing settings in detail have you set on the domain controllers OU?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm




*** - End Reply - ***

[Haynsey]

G'day Meinolf,

I don't think my auditing was setup correctly before. I had audit Directory Access set on the DC's BUT under AD Users & Computers, auditing deletions of computers, users and objects (objects being both users & computers?) was not ticked for everyone. I've ticked/enabled auditing on deleting objects for the everyone group on the entire domain to cover all bases.

This website may be interesting for anyone else diagnosing this issue:- http://blogs.dirteam.com/blogs/tomek...uot_3B00_.aspx

Hopefully next time it happens there will be an entry.

Is it wise to use the everyone group for this sort of thing? ie. will it incur a performance hit on the DC's?

Cheers,
Matt

Look for any scheduled tasks that might be using oldcmp. This is a utility
that cleans up machine accounts. Maybe someone has a task that is being run
improperly, although it should log account deletions if you have it set up
properly. Have you properly configured auditing? Jorge has an excellent
article on configuring object auditing on AD. I would read this entire
article and verify that you have things configured properly. This link
states 2008, but it should be good for 2000 and 2003.
http://blogs.dirteam.com/blogs/jorge...rver-2008.aspx

Oldcmp is a freeware utility written by Joe Richards at joeware.net

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Haynsey" <Haynsey.44e7ba@DoNotSpam.com> wrote in message
news:Haynsey.44e7ba@DoNotSpam.com...
>
> G'day,
>
> FYI - this thread was created because I used an older thread to reply
> to. Meinolf Weber has already replied, see below at the end of my post.
>
> Sorry for jumping into this thread with my own problem albeit very
> similar to the OP's so I hope I can add something to it. If someone
> has an issue I will create a new thread no worries.
>
> We run a single 2003 native domain with 6 DC's. All clients are XP
> SP2. I inherited this domain so I cannot speculate on how its initial
> setup was done.
>
> The issue we are experiencing is that random workstation accounts are
> being deleted from AD and we don't know why. It occurs roughly once a
> fortnight, it has not affected a server account yet and I believe it
> is only occuring on computer accounts that are sitting inside one of
> AD's OU's (We have multiple sites so depending on their site,
> computers are organized into a particular OU) but I will need to
> confirm this with my counterparts.
>
> When the account is deleted, the workstation is not able to be used on
>
> the domain. On logon, it says that the domian is unnavailable or the
> account was deleted. Checking inside AD, you can verify the account no
>
> longer exists.
>
> I have enabled auditing on all 6 DC's. When the account is deleted, I
> go through and check the last 24 hours but there is no mention of
> event ID 647. I have also checked scheduled tasks that other admin's
> may have enabled are there is nothing I found running against AD. I
> would assume if a script was deleting these accounts, event ID 647
> would pop up.
>
> Google is not being cooperative either.
>
> I will be running dcdiag on all DC's throughout the day user requests
> permitting.
>
> Is there another way I can find out how these accounts are being
> deleted?
> Is there something I'm missing?
> Any thoughts?
>
> Any help would be greatly appreciated.
>
> Matt
>
>
>
>
> *** - Begin Reply from Meinolf Weber - ***
>
> Hello Haynsey,
>
> As this posting is already from 08/2009 it is always better to create a
> new one. Anyway, as stated in the beginning for the OP, a computer
> account will NOT be deleted automatically, except some scripts are
> trigger this.
>
> What auditing settings in detail have you set on the domain controllers
> OU?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
>
> *** - End Reply - ***
>
>
> --
> Haynsey
> ------------------------------------------------------------------------
> Haynsey's Profile: http://forums.techarena.in/members/171451.htm
> View this thread: AD Computer Accounts being Deleted Randomly
>
> http://forums.techarena.in
>

Hi
Here's another possible cause... replication problems...
Can you post the result for
repadmin /replsummary /bysrc /bydest /sort:delta
--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Haynsey" <Haynsey.44e7ba@DoNotSpam.com> wrote in message
news:Haynsey.44e7ba@DoNotSpam.com...
>
> G'day,
>
> FYI - this thread was created because I used an older thread to reply
> to. Meinolf Weber has already replied, see below at the end of my post.
>
> Sorry for jumping into this thread with my own problem albeit very
> similar to the OP's so I hope I can add something to it. If someone
> has an issue I will create a new thread no worries.
>
> We run a single 2003 native domain with 6 DC's. All clients are XP
> SP2. I inherited this domain so I cannot speculate on how its initial
> setup was done.
>
> The issue we are experiencing is that random workstation accounts are
> being deleted from AD and we don't know why. It occurs roughly once a
> fortnight, it has not affected a server account yet and I believe it
> is only occuring on computer accounts that are sitting inside one of
> AD's OU's (We have multiple sites so depending on their site,
> computers are organized into a particular OU) but I will need to
> confirm this with my counterparts.
>
> When the account is deleted, the workstation is not able to be used on
>
> the domain. On logon, it says that the domian is unnavailable or the
> account was deleted. Checking inside AD, you can verify the account no
>
> longer exists.
>
> I have enabled auditing on all 6 DC's. When the account is deleted, I
> go through and check the last 24 hours but there is no mention of
> event ID 647. I have also checked scheduled tasks that other admin's
> may have enabled are there is nothing I found running against AD. I
> would assume if a script was deleting these accounts, event ID 647
> would pop up.
>
> Google is not being cooperative either.
>
> I will be running dcdiag on all DC's throughout the day user requests
> permitting.
>
> Is there another way I can find out how these accounts are being
> deleted?
> Is there something I'm missing?
> Any thoughts?
>
> Any help would be greatly appreciated.
>
> Matt
>
>
>
>
> *** - Begin Reply from Meinolf Weber - ***
>
> Hello Haynsey,
>
> As this posting is already from 08/2009 it is always better to create a
> new one. Anyway, as stated in the beginning for the OP, a computer
> account will NOT be deleted automatically, except some scripts are
> trigger this.
>
> What auditing settings in detail have you set on the domain controllers
> OU?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
>
> *** - End Reply - ***
>
>
> --
> Haynsey
> ------------------------------------------------------------------------
> Haynsey's Profile: http://forums.techarena.in/members/171451.htm
> View this thread: AD Computer Accounts being Deleted Randomly
>
> http://forums.techarena.in
>