We help IT Professionals succeed at work.
Get Started

Why is "A member was removed from a security-enabled local group." being removed

1,336 Views
Last Modified: 2012-05-11
I am seeing this Security event periodically.  It is removing a domain account from the local admin for a specific windows 2008 R2 server.
Some Admin group accounts are being removed and readded programatically.
Some are being removed and not readded.  Why is this occuring?
Where do I look?
It is causing my ADRMS services to not work.


A member was removed from a security-enabled local group.

Subject:
      Security ID:            SYSTEM
      Account Name:            0NH1C8P02$
      Account Domain:            MYCOMPANY
      Logon ID:            0x3e7

Member:
      Security ID:            MYCOMPANY\_adrmsadmin
      Account Name:            -

Group:
      Security ID:            BUILTIN\Administrators
      Group Name:            Administrators
      Group Domain:            Builtin

Additional Information:
      Privileges:            -
Comment
Watch Question
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE