3

I just took over the IT for a medium sized business with a three domain controllers (2003/2008 Standard) and whenever I create a new user, after some time the user account cannot log into most machines on the network. I have traced this back to the "Log On To..." area becoming populated with a small list of machines. Even when I set the option to all computers, this list comes back after some time.

I started hunting for vbs and ps1 scripts with the word "workstations" in them on all domain controllers to see if there is some kind of script to blame, but I have thus far come up empty handed. Is there a known software suite that can cause this (Microsoft Forefront, etc)?

How can I figure out what is causing this list to change?

Edit

I turned on auditing at tonyr roth's suggestion, and now I see that the SYSTEM account of one of the domain controllers is periodically writing to the userWorkstations attribute. Does the system account imply some sort of service or scheduled task?

Edit

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24106718.html

Appears to have my solution, EBS licensing.

Edit

Microsoft EBS is discontinued, and if you bought it you can get the components for free between June 30 2010 and December 31 2010.

ht tp://www.microsoft.com/ebs/en/us/offers.aspx

Martin
  • 131
  • 4

2 Answers2

1

turn on auditing of ad events!

  • There is no audit policy called "AD Events". I have added a group policy object to my domain controllers to audit Directory Service Access. Is this what you mean? – Martin Apr 08 '10 at 13:46
0

Try looking at Group Policy Inheritance and "Resultant Set of Policies"

http://technet.microsoft.com/en-us/library/cc758010%28WS.10%29.aspx

Tie-fighter
  • 741
  • 2
  • 9
  • 17
  • I have run through the group policy modeling and results wizards and I see no scripts or anything that might affect AD. Thanks though! – Martin Apr 08 '10 at 13:45