fpstarara
asked on
Why is "A member was removed from a security-enabled local group." being removed
I am seeing this Security event periodically. It is removing a domain account from the local admin for a specific windows 2008 R2 server.
Some Admin group accounts are being removed and readded programatically.
Some are being removed and not readded. Why is this occuring?
Where do I look?
It is causing my ADRMS services to not work.
A member was removed from a security-enabled local group.
Subject:
Security ID: SYSTEM
Account Name: 0NH1C8P02$
Account Domain: MYCOMPANY
Logon ID: 0x3e7
Member:
Security ID: MYCOMPANY\_adrmsadmin
Account Name: -
Group:
Security ID: BUILTIN\Administrators
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: -
Some Admin group accounts are being removed and readded programatically.
Some are being removed and not readded. Why is this occuring?
Where do I look?
It is causing my ADRMS services to not work.
A member was removed from a security-enabled local group.
Subject:
Security ID: SYSTEM
Account Name: 0NH1C8P02$
Account Domain: MYCOMPANY
Logon ID: 0x3e7
Member:
Security ID: MYCOMPANY\_adrmsadmin
Account Name: -
Group:
Security ID: BUILTIN\Administrators
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: -
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
spot on
http://www.netwrix.com/active_directory_change_reporting_freeware.html
It will tell you who is making the changes.