4735, 4732 and 4733 in a cycle Expand / Collapse
Author
Message
Posted 12/18/2012 3:49:50 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 12/18/2012 3:48:22 AM
Posts: 2, Visits: 2
Hello,
I have the following problem or so called interesting activity in windows server logs.

1.
Win-sec 4735, success, A security-enabled local group was changed. Subject: SID: S-XX, Account Name: TerminalX$, Account Domain: , Logon ID: , Group: SID: S-YY, Group Name: GroupX, Group Domain: Builtin, Changed Attributes: SAM Account Name: -, SID History: -, Additional Information: Privileges: -;
2.1.
Win-sec 4733, success, A member was removed from a security-enabled local group. Subject: SID: S-XX, Account Name: TerminalX$, Account Domain: , Logon ID: , Member: SID: S-ZZ-1, Account Name: -, Group SID: S-YY, Group Name: GroupX, Group Domain: Builtin, Additional Information: Privileges: -;
2.2.
Win-sec 4733, success, A member was removed from a security-enabled local group. Subject: SID: S-XX, Account Name: TerminalX$, Account Domain: , Logon ID: , Member: SID: S-ZZ-2, Account Name: -, Group SID: S-YY, Group Name: GroupX, Group Domain: Builtin, Additional Information: Privileges: -;
3.1.
Win-sec 4732, success, A member was added to a security-enabled local group. Subject: SID: S-XX, Account Name: TerminalX$, Account Domain: , Logon ID: , Member: SID: S-ZZ-1, Account Name: -, Group SID: S-YY, Group Name: GroupX, Group Domain: Builtin, Additional Information: Privileges: -;
3.2.
Win-sec 4732, success, A member was added to a security-enabled local group. Subject: SID: S-XX, Account Name: TerminalX$, Account Domain: , Logon ID: , Member: SID: S-ZZ-2, Account Name: -, Group SID: S-YY, Group Name: GroupX, Group Domain: Builtin, Additional Information: Privileges: -;

TerminalX$ - terminal server serving clients.
Domain: All machines are in the same domain.
User groups: GroupX has 2 groups (SID: S-ZZ-1 and with SID: S-ZZ-2).
This so called cycle occurs once in a hour.
1. User GroupX privileges are changed.
2. Two user groups from GroupX are removed from GroupX.
3. Two user groups from GroupX are added to GroupX.

Sysadmin said, that this cycle should occur only once after GPUpdate command (not for once in a hour). Admin did gpupdate for the terminal server. Nothing changed. Admin restarted the terminal server, again nothing happened.

Does someone may have any idea about it?
I'm guessing that something is wrong in Group Policy (GPO).
Post #1150
Posted 12/20/2012 7:09:02 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 12/18/2012 3:48:22 AM
Posts: 2, Visits: 2
The solution was, that admin changed that specific GPO and made it to 'Apply only once'. After that I haven't seen these logs for 2 days now. It seems so, that this was answer to my problem.
Thank you also for your support!
Post #1154
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 10:50pm