I am seeing this Security event periodically. It is removing a domain account from the local admin for a specific windows 2008 R2 server.
Some Admin group accounts are being removed and readded programatically.
Some are being removed and not readded. Why is this occuring?
Where do I look?
It is causing my ADRMS services to not work.
A member was removed from a security-enabled local group.
Security ID: SYSTEM
Account Name: 0NH1C8P02$
Account Domain: MYCOMPANY
Logon ID: 0x3e7
Security ID: MYCOMPANY\_adrmsadmin
Account Name: -
Security ID: BUILTIN\Administrators
Group Name: Administrators
Group Domain: Builtin