Solved

User Acct. is being removed from AD group.

Posted on 2010-09-16
4
645 Views
Last Modified: 2012-06-22
I have added a user account to a Global group, and twice I have found the next day, that the account has been removed from the group.  I have Auding enabled, and have found the Event ID 633....

Type:      Audit Success
Source:      Security
Event ID:      633
Event Time:      9/16/2010 8:21:18 AM
User:      NT AUTHORITY\SYSTEM
Computer:      Pri-DCSVR00
Description:
Security Enabled Global Group Member Removed:
      Member Name:      CN=Joe Blow,OU=Contractors,OU=Technology Department,OU=STL,DC=acme,DC=com
      Member ID:      %{S-1-5-21-1814976544-1464880352-2118856591-5839}
      Target Account Name:      Test_Consult
      Target Domain:      Test
      Target Account ID:      %{S-1-5-21-1814976544-1464880352-2118856591-5712}
      Caller User Name:      -
      Caller Domain:      -
      Caller Logon ID:      (0x0,0x92837100)
      Privileges:      -

I am lost by the "User" that is removing the account from the Group, that user being "NT AUTHORITY\SYSTEM".  Is there a way to find out who or why this is getting removed?
0
Comment
Question by:mbigogno
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 250 total points
ID: 33698874
It is possibly being removed by a group policy.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33698877
And do you really have a contracter called Joe Blow? cos that's a cool name. ;)
0
 
LVL 22

Expert Comment

by:65td
ID: 33705156
I'd be leaning to a GPO as well, look in restricted groups.
0
 

Author Closing Comment

by:mbigogno
ID: 33734378
Sorry it took so long to get back.  Had another administrator mucking around with group policy.  That was the fix.  Thanks.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question