Recently, I've come across a number of events in which our server administrators are adding in domain groups to the local server Administrator's group. Which isn't abnormal....except that the events are not showing which Domain Group that was added. Granted, the least possible denominator is the SID (Security ID) that is stamped, but it does not account for the additional research that must go on in order to ascertain the human readable context. The MAIN problem that I would hope is explainable is why does the "Account Name" field remain blank when the server is part of the domain and logs are able to be correlated?....or wouldn't the name of the group (or group label) that is passed through as part of the new entry into the Local Administrators group be something that is recorded as part of the log?
An Example:
A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1 <Redacted Info>
Account Name: <A Server Admin Redacted>
Account Domain: <Server Domain Redacted>
Logon ID: <LOGON ID Redacted>
Member:
Security ID: S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-12 <Redacted Info>
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: -
