My CNO was a member of Account operator, which is protected. I removed it from this group.
Why is the security changing on my cluster object
Sébastien Lagueux
156
Reputation points
Hello everyone I need your help
I have two windows clusters and I still have this error:
The computer object associated with the cluster network name resource 'Cluster Name' could not be updated in domain 'domain.com' during the
Password change operation.
The text for the associated error code is: Access is denied.
The cluster identity 'Cluster$' may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.
On my object cluster in AD, I notice that it always loses inheritance. I have adjusted the permissions on the OU but since it loses the inheritance I still have the error. What is it that changes the permissions on the cluster object?
Thank you very much for your help
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Storage high availability | Clustering and high availability
Answer accepted by question author
2 additional answers
Sort by: Most helpful
-
Gary Reynolds 9,626 Reputation points2021-10-15T21:35:38.627+00:00 It sound like your cluster account is being protected by the SDProp process, have a look at this article sdprop which will explains how to check if the SDProp is changing the permissions of your cluster account.
Gary.
-
Sébastien Lagueux 156 Reputation points
2021-10-18T15:50:49.757+00:00 According to Nettools I have none.
-
Gary Reynolds 9,626 Reputation points
2021-10-19T03:16:19.827+00:00 Hi,
Have a look at this article which has the details of the cluster account and permissions that are required configure-ad-accounts
-
Sébastien Lagueux 156 Reputation points
2021-10-19T15:51:01.607+00:00 Yes I had seen this page and I am trying to do what it says. On my CNO I modify the permissions but after a few minutes they come back as before, so the CNO does not have the necessary access.
-
Gary Reynolds 9,626 Reputation points
2021-10-20T00:10:04.72+00:00 I think you will need to enable auditing on the account to see who or what is changing the permissions. On the account set audit permissions to Everyone, All writes, and then enable Audit object Access policy on the DCs.
At least this will provide the details on when and who is updating the permissions on the CNO.
Just to confirm your last comment on SDProp check, can you confirm that the admincount attribute of CNO account is either not set or 0?
Gary.
-
Sébastien Lagueux 156 Reputation points
2021-10-20T13:51:09.417+00:00 AdminCount is 1. So he is protected. It looks like this is normal as it is a cluster correct? But the protection does not enforce the right security.
-
Sébastien Lagueux 156 Reputation points
2021-10-20T18:06:16.14+00:00 I think I found it. My CNO was a member of Account operator, which is protected. I think he was causing this. I'm watching this.
Thank you for your help. -
Gary Reynolds 9,626 Reputation points
2021-10-20T21:09:30.163+00:00
Sign in to comment -
-
Limitless Technology 40,081 Reputation points2021-10-18T10:28:12.867+00:00 Hi there,
When you create a failover cluster and configure clustered services or applications, the failover cluster wizards create the necessary Active Directory computer accounts (also called computer objects) and give them specific permissions. The wizards create a computer account for the cluster itself and this is the reason for the permission changes on clusters.
If the reply is helpful, please Upvote and Accept it as an answer
-
Sébastien Lagueux 156 Reputation points
2021-10-19T15:53:00.173+00:00 but on this page it is indicated to change the permissions on the CNO. What do I do if the permissions keep coming back?
https://learn.microsoft.com/en-us/windows-server/failover-clustering/configure-ad-accounts
Sign in to comment -