Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

User Acct. is being removed from AD group.

Posted on 2010-09-16
4
Medium Priority
?
648 Views
Last Modified: 2012-06-22
I have added a user account to a Global group, and twice I have found the next day, that the account has been removed from the group.  I have Auding enabled, and have found the Event ID 633....

Type:      Audit Success
Source:      Security
Event ID:      633
Event Time:      9/16/2010 8:21:18 AM
User:      NT AUTHORITY\SYSTEM
Computer:      Pri-DCSVR00
Description:
Security Enabled Global Group Member Removed:
      Member Name:      CN=Joe Blow,OU=Contractors,OU=Technology Department,OU=STL,DC=acme,DC=com
      Member ID:      %{S-1-5-21-1814976544-1464880352-2118856591-5839}
      Target Account Name:      Test_Consult
      Target Domain:      Test
      Target Account ID:      %{S-1-5-21-1814976544-1464880352-2118856591-5712}
      Caller User Name:      -
      Caller Domain:      -
      Caller Logon ID:      (0x0,0x92837100)
      Privileges:      -

I am lost by the "User" that is removing the account from the Group, that user being "NT AUTHORITY\SYSTEM".  Is there a way to find out who or why this is getting removed?
0
Comment
Question by:mbigogno
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 1000 total points
ID: 33698874
It is possibly being removed by a group policy.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33698877
And do you really have a contracter called Joe Blow? cos that's a cool name. ;)
0
 
LVL 22

Expert Comment

by:65td
ID: 33705156
I'd be leaning to a GPO as well, look in restricted groups.
0
 

Author Closing Comment

by:mbigogno
ID: 33734378
Sorry it took so long to get back.  Had another administrator mucking around with group policy.  That was the fix.  Thanks.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question