none
Account Being Re-Enabled Automatically by NT AUTHORITY\SYSTEM

    Question

  • I'm cleaning out accounts that are no longer in use and we've got a domain admin ID that is constantly re-enabled by NT AUTHORITY\SYSTEM.

    We've disabled the account multiple times, re-named it to something else, everything short of deleting it, and every night the NT Authority\System ID enables it again.

    Any idea on what's going on? Can we safely delete this ID or is it going to cause problems?

    Thanks,

    Bart

    Wednesday, April 19, 2017 9:15 PM

All replies

  • Hi Bart,
    Please check which groups that account is located, and see if that groups is restricted groups which could be configure in the group policy
    As far as I know, when using restricted groups, any current member of the group that is not on the “Members” list will be removed. All users / domain groups that are in the “Members” list and are not members of the group will be added as members.
    You could see more details from: https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 20, 2017 8:55 AM
    Moderator
  • > I'm cleaning out accounts that are no longer in use and we've got a domain admin ID that is constantly re-enabled by NT AUTHORITY\SYSTEM.
     
    Is it really constantly or is there a schedule you can recognize?
     
    Thursday, April 20, 2017 1:50 PM
  • I don't understand, the problem is that the System ID is activativing a disabled account, and I don't know why.

    Are you saying the issue is that membership in a restricted group is activating the account? 

    Thursday, April 20, 2017 3:30 PM
  • > Are you saying the issue is that membership in a restricted group is activating the account?
     
    No. RG does not activate anything :-)
     
    Friday, April 21, 2017 10:12 AM
  • The re-activation happens at around the same time of day.
    Friday, April 21, 2017 5:16 PM
  • adminsdholder ?

    https://blogs.technet.microsoft.com/askds/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, April 22, 2017 12:56 AM
  • > adminsdholder ?
     
    My first thought, too - but the sdprop runs hourly, which doesn't match the description :)
    And to all that I known, the sdprop does not re-enable accounts.
    Monday, April 24, 2017 2:21 PM
  • The re-activation happens at around the same time of day.

    do you have some kind of FIM/ILM/MIIS, which does user account provisioning into your AD?

    Or, any kind of other identity sync or something, which might be doing this?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, April 25, 2017 1:04 AM
  • Hi Bart,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.
    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Saturday, April 29, 2017 10:56 AM
    Moderator