If two administrators each try to remove users from a group at the same time, "removed" users might reappear after Active Directory replication completes. Microsoft contends this "behavior of multivalue replication in Active Directory" is not a security flaw since it cannot "be exploited to allow unauthorized access or an elevation of privileges by attackers." Whether you agree with that verbal hair splitting or not, this tip explains the problem and how to avoid it.
When an administrator makes a change to a group object, Active Directory replicates the entire group object to other domain controllers. So, let's say you've got a group called "BackupOperators" with the appropriate authorization. This "BackupOperators" group contains users from a variety of departments including Sales, Finance and Manufacturing. Friday morning the company implements a signification reduction in force, and several of the authorized backup operators are impacted.
The admin responsible for the Finance department binds to the nearest DC and modifies the membership in their copy of the group. At the same time, the Sales admin is doing the same thing on a different DC. Since the entire group (not just the changes to the group) is replicated -- during the replication the two versions of the modified group object will generate a replication conflict and Active Directory will decide which of the two new versions of the Group object wins. The changes implemented by the other administrator will be lost.
To avoid this unlikely scenario, make it a policy that all admins make group membership changes while bound to a single domain controller. Alternatively, you could design the group architecture such that only one admin has primary responsibility for each group. For example, you could have a "Finance" Organization Unit containing a BackupOperators group, with another BackupOperators Group contained in a Sales OU.
Note that if the user objects had been deleted there would have been no problem, since each admin would have been operating on a separate (user) object and Active Directory automatically removes a user from all groups when the user object is deleted.
Note also that the upcoming major revision of Win 2000 Server (Whistler) is expected to eliminate this issue.
For more details, check out the "Security Groups and Replication Conflicts" section.
Kevin Sharp is a registered professional engineer, writer, and yoga teacher living in Tucson, Arizona. His writing interests have produced books and articles on the economic impact of technology on manufacturing and distribution organizations.