none
Event ID 4733,4732

    Question

  • we are facing an issue with specific windows 2012 r2 servers, all built in local admins continually removed each 10 mins

    we got Event IDs 4733,4732 , we updated all servers and removed all linked GPOs related to these servers

    we need to know what is the issue that remove the local admins

    our enviroment 

    AD 2012R2

    Monday, December 19, 2016 7:10 AM

All replies

  • Hi

     Event id's 4733,4732 related to account added and removed as you know,so first you should configure advanced audit policy to find the source proces;

    https://technet.microsoft.com/en-us/library/dn319056%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

    Also check this; http://social.technet.microsoft.com/wiki/contents/articles/17053.event-id-when-a-user-is-added-or-removed-from-security-enabled-domain-local-group-such-as-dnsadmins-group.aspx

    And you can configure "Active Directory group membership modifications report"

    http://blog.powershell.no/2009/10/11/active-directory-group-membership-modifications-report/

    we updated all servers and removed all linked GPOs related to these servers >>> resticted group gpo might be remove member from groups,check for details;

    https://technet.microsoft.com/tr-tr/library/cc756802(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Eric Anto Monday, December 19, 2016 12:10 PM
    Monday, December 19, 2016 7:28 AM
  • I concur to Burak suggestion.

    Here is one more resource which clarify event ID 4733 in more detail - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4733

    To record changes made in AD production environment, you can follow the steps given in below article - https://community.spiceworks.com/how_to/129229-how-to-record-changes-made-in-active-directory

    Monday, December 19, 2016 7:52 AM
  • Dear,

    Just create a separate OU without any GPO's and move the affected machines into the OU, Observe for any changes.

    On any GPO's which have the settings enabled verify the security settings has any "DENY" checked.

    Thanks

    Syea

    Monday, December 19, 2016 11:52 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 23, 2016 7:05 AM
    Moderator