troubleshooting Question

Why is "A member was removed from a security-enabled local group." being removed

Avatar of fpstarara
fpstararaFlag for United States of America asked on
Windows Server 2008Active Directory
3 Comments1 Solution1339 ViewsLast Modified:
I am seeing this Security event periodically.  It is removing a domain account from the local admin for a specific windows 2008 R2 server.
Some Admin group accounts are being removed and readded programatically.
Some are being removed and not readded.  Why is this occuring?
Where do I look?
It is causing my ADRMS services to not work.

A member was removed from a security-enabled local group.

      Security ID:            SYSTEM
      Account Name:            0NH1C8P02$
      Account Domain:            MYCOMPANY
      Logon ID:            0x3e7

      Security ID:            MYCOMPANY\_adrmsadmin
      Account Name:            -

      Security ID:            BUILTIN\Administrators
      Group Name:            Administrators
      Group Domain:            Builtin

Additional Information:
      Privileges:            -

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros