Link to home
Start Free TrialLog in
Avatar of 2Pac IT
2Pac IT

asked on

Help with troubleshooting Microsoft System Account removing users from Domain Admins Group

I have an issue where a task/job run by the NT AUTHORITY\SYSTEM removes users from the Domain Admins. I am unable to find out if this is a task, GPO, or what is causing one  our domain controllers to execute this. I then have to go and add all of our domains admins back in the group about 1 or 2 times a day. Is there a powershell command, utility, or any recommendation that will display what time a task or GPO runs to help troubleshoot this process? I need help figuring out what is causing the system account 'NT Authority\System' to remove the users from the domain admins.
Avatar of Chris
Chris
Flag of United Kingdom of Great Britain and Northern Ireland image

If you have auditing on for AD then you will be able to pin point the time and the source of the change

saving me having to type it out this page gives you details on the event auditng that needs to be configured and the event ID's you need to look for

https://www.lepide.com/how-to/track-and-audit-active-directory-group-membership-changes.html

you can cross check that with the Group Policy log which is one of the granular logs to see if there is a time stamp that correlates and also what GPO it was that was doing a backgroun refresh.
Or the system log that should confirm a scheudled task running
This could be due to protected group.
In the past I had a group that was a member of a protected group and that caused windows to remove the members.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
Avatar of 2Pac IT
2Pac IT

ASKER

Thanks and I am looking at the logs and I have read about protected group and restricted groups. Still no luck...
please post output of
gpresult /h c:\gpreport.html

Open in new window

Avatar of 2Pac IT

ASKER

Life1430 is there something specific I can look for and I appreciate the help but I cant post the gp policy due to company policy
Nothing specific as such..was expecting any clue if we could find from it
ASKER CERTIFIED SOLUTION
Avatar of 2Pac IT
2Pac IT

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial