Hello all Windows Server 2003 Native AD mode. Question: Today we our members of the Domain admins group were mysteriously removed leaving the group empty. When checking the event log here's what we see: A member was removed from a security-enabled global group. Any ideas how to interpret this? Subject: Security ID: SYSTEM Account Name: DCV003$ Account Domain: ABCDOM Logon ID: 0x4d2dce56 Member: Security ID: ABCDOM\sample Group: Security ID: ABCDOM\Domain Admins Group Name: Domain Admins Group Domain: ABCDOM Additional Information: Privileges: -

It seems like Event ID 4729, the fileds are as follows: Security ID: The SID of the account. Account Name: The account logon name. Account Domain: The domain name. Logon ID number that identifies the logon session. Security ID: The SID of the group's member Account Name: The distinguished name of the group's member Security ID: The SID of the affected group Group Name: Name of affected group Group Domain: Domain of affected group With kind regards Krystian Zieja http://www.projectenvision.com Follow me on twitter My Blog Need help with your systems?

Hi, What’s the Event ID of this event? Is it 4729? From the event log, it is user DCV003 who initiated the action to remove members from Domain Admins group. You may check if DCV003 did this by mistake. Regards, Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.