Why is "A member was removed from a security-enabled local group." being removed

fpstarara
fpstarara used Ask the Experts™
on
I am seeing this Security event periodically.  It is removing a domain account from the local admin for a specific windows 2008 R2 server.
Some Admin group accounts are being removed and readded programatically.
Some are being removed and not readded.  Why is this occuring?
Where do I look?
It is causing my ADRMS services to not work.


A member was removed from a security-enabled local group.

Subject:
      Security ID:            SYSTEM
      Account Name:            0NH1C8P02$
      Account Domain:            MYCOMPANY
      Logon ID:            0x3e7

Member:
      Security ID:            MYCOMPANY\_adrmsadmin
      Account Name:            -

Group:
      Security ID:            BUILTIN\Administrators
      Group Name:            Administrators
      Group Domain:            Builtin

Additional Information:
      Privileges:            -
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Leon FesterSenior Solutions Architect

Commented:
Take the guessing out of the equation and install a change reporter.
http://www.netwrix.com/active_directory_change_reporting_freeware.html

It will tell you who is making the changes.
Server was moved to the wrong OU and thus the GPO was removing the accounts.

Author

Commented:
spot on

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial