Help with troubleshooting Microsoft System Account removing users from Domain Admins Group

I have an issue where a task/job run by the NT AUTHORITY\SYSTEM removes users from the Domain Admins. I am unable to find out if this is a task, GPO, or what is causing one  our domain controllers to execute this. I then have to go and add all of our domains admins back in the group about 1 or 2 times a day. Is there a powershell command, utility, or any recommendation that will display what time a task or GPO runs to help troubleshoot this process? I need help figuring out what is causing the system account 'NT Authority\System' to remove the users from the domain admins.
2Pac ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChrisLead Infrastructure ArchitectCommented:
If you have auditing on for AD then you will be able to pin point the time and the source of the change

saving me having to type it out this page gives you details on the event auditng that needs to be configured and the event ID's you need to look for

https://www.lepide.com/how-to/track-and-audit-active-directory-group-membership-changes.html

you can cross check that with the Group Policy log which is one of the granular logs to see if there is a time stamp that correlates and also what GPO it was that was doing a backgroun refresh.
Or the system log that should confirm a scheudled task running
RobertSystem AdminCommented:
This could be due to protected group.
In the past I had a group that was a member of a protected group and that caused windows to remove the members.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
2Pac ITAuthor Commented:
Thanks and I am looking at the logs and I have read about protected group and restricted groups. Still no luck...
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Life1430Commented:
please post output of
gpresult /h c:\gpreport.html

Open in new window

2Pac ITAuthor Commented:
Life1430 is there something specific I can look for and I appreciate the help but I cant post the gp policy due to company policy
Life1430Commented:
Nothing specific as such..was expecting any clue if we could find from it
2Pac ITAuthor Commented:
The solution was that the group was being modified by the default domain policy GPO - I changed the users in the restricted groups and it works now. Thanks,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.