In our Active Directory domain, we have some strange things happening to a certain user account:
In the security rights for that user object, the "Include inheritable permissions from this object's parent" flag keeps getting disabled. Which causes some problems for that user.
If an administrator enables it, a few hours later its disabled again. So we enabled auditing on that user object, to see who or what is doing that.
The auditing works: If I manually check or uncheck the flag on that user, an entry is created in security log on the domain controllers, stating a directory service object was modified etc,...
However, it does not log the mystery process that disables the flag. When I enable the flag, it gets logged in the auditing log. But a few hours later its disabled again and the audit log shows nothing.
So i'm quite stumped. Are there any processes or user accounts that can modify AD objects without this showing up in the audit log?
You may be experiencing the AdminSDHolder effect.
Accounts that are members of specific groups are protected by Active Directory. This means that the system prevents them from inheriting permissions from the parent container. This is a security feature, intended to protect high-privilege accounts from inadvertent modification.
https://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx
Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/kb/232199
You can also check it with an Active Directory Auditor tool may it will work as it audit your complete domain controllers objects and keep a track on all activities happening in your domain.