Event ID 684 is logged every 60 minutes on a PDC emulator after you raise the forest functional level to Windows Server 2003

Article translations Article translations
Article ID: 926096 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario. You raise the forest functional level to Microsoft Windows Server 2003. You create a user account and then add the account to an administrative group or to an operator group. For example, you add the user to the Domain Admins group.

In this scenario, the following event message is logged in the Security log:


Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 684
Date: 28.04.2006
Time: 05:16:33
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ComputerName
Description:
Set ACLs of members in administrators groups:
Target Account Name: NewlyCreatedUser
Target Domain: DC=DomainName,DC=com
Target Account ID: DomainName\ NewlyCreatedUser
Caller User Name: ComputerName$
Caller Domain: DomainName
Caller Logon ID: (0x0,0x3E7)
Privileges: -

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Note NewlyCreatedUser is the administrative user account that you have created.

Event ID 684 is logged every 60 minutes on the primary domain controller (PDC) emulator.

CAUSE

In the Active Directory directory service, the AdminSDHolder object updates security descriptors every 60 minutes (3600 seconds). To do this, the AdminSDHolder object compares the security descriptor of the AdminSDHolder object to the security descriptor of the new administrative account. However, the AdminSDHolder object does not examine each access control entry in these security descriptors. Instead, the AdminSDHolder object treats the security descriptors as binary large objects.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

After the forest functional level is raised to Windows Server 2003, access control entries may be reordered for the new account when add operations or modify operations occur. Therefore, the security descriptor is rewritten. When the rewrite occurs, the security descriptor is updated one time. However, updates continue to occur because the reordered access control entries of the new account are in a different order than the security descriptors in the AdminSDHolder object.

For more information about the scope and the operation of the AdminSDHolder object, click the following article numbers to view the articles in the Microsoft Knowledge Base:
817433 Delegated permissions are not available and inheritance is automatically disabled
232199 Description and update of the Active Directory AdminSDHolder object

Properties

Article ID: 926096 - Last Review: October 11, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
Keywords: 
kbtshoot kbprb KB926096

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com