Members removed from Domain Admins group
Hello all
Windows Server 2003 Native AD mode. Question: Today we our members of the Domain admins group were mysteriously removed leaving the group empty. When checking the event log here's what we see:
A member was removed from a security-enabled global group. Any ideas how to interpret this?
Subject:
Security ID: SYSTEM
Account Name: DCV003$
Account Domain: ABCDOM
Logon ID: 0x4d2dce56
Member:
Security ID: ABCDOM\sample
Group:
Security ID: ABCDOM\Domain Admins
Group Name: Domain Admins
Group Domain: ABCDOM
Additional Information:
Privileges: -
July 15th, 2011 4:10pm
It seems like Event ID 4729, the fileds are as follows:
Security ID: The SID of the account. Account Name: The account logon name. Account Domain: The domain name. Logon ID number that identifies the logon session. Security ID: The SID of the group's member
Account Name: The distinguished name of the group's member
Security ID: The SID of the affected group
Group Name: Name of affected group
Group Domain: Domain of affected group
With kind regards
Krystian Zieja
http://www.projectenvision.com
Follow me on twitter
My Blog
Need help with your systems?
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2011 4:42pm
Hi,
What’s the Event ID of this event? Is it 4729?
From the event log, it is user DCV003 who initiated the action to remove members from Domain Admins group. You may check if DCV003 did
this by mistake.
Regards,
Bruce
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet
Subscriber Support, contact tnmff@microsoft.com.
July 18th, 2011 4:47am