Solved

User Acct. is being removed from AD group.

Posted on 2010-09-16
4
643 Views
Last Modified: 2012-06-22
I have added a user account to a Global group, and twice I have found the next day, that the account has been removed from the group.  I have Auding enabled, and have found the Event ID 633....

Type:      Audit Success
Source:      Security
Event ID:      633
Event Time:      9/16/2010 8:21:18 AM
User:      NT AUTHORITY\SYSTEM
Computer:      Pri-DCSVR00
Description:
Security Enabled Global Group Member Removed:
      Member Name:      CN=Joe Blow,OU=Contractors,OU=Technology Department,OU=STL,DC=acme,DC=com
      Member ID:      %{S-1-5-21-1814976544-1464880352-2118856591-5839}
      Target Account Name:      Test_Consult
      Target Domain:      Test
      Target Account ID:      %{S-1-5-21-1814976544-1464880352-2118856591-5712}
      Caller User Name:      -
      Caller Domain:      -
      Caller Logon ID:      (0x0,0x92837100)
      Privileges:      -

I am lost by the "User" that is removing the account from the Group, that user being "NT AUTHORITY\SYSTEM".  Is there a way to find out who or why this is getting removed?
0
Comment
Question by:mbigogno
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 250 total points
ID: 33698874
It is possibly being removed by a group policy.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33698877
And do you really have a contracter called Joe Blow? cos that's a cool name. ;)
0
 
LVL 22

Expert Comment

by:65td
ID: 33705156
I'd be leaning to a GPO as well, look in restricted groups.
0
 

Author Closing Comment

by:mbigogno
ID: 33734378
Sorry it took so long to get back.  Had another administrator mucking around with group policy.  That was the fix.  Thanks.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question