question

TeofiloHomsany-8813 avatar image
0 Votes"
TeofiloHomsany-8813 asked DSPatrick edited

Windows 2019 Standard new administrator losing roles

Hi guys good morning,
I created a second domain administrator user on my Windows Server 2019 Standard and I am having issues that the user loses its administrative privileges after a few hours by itself.
Nothing is done, the server is not restarted but that adminstrator just becomes a regular user by itself so I can no longer go in as administrator.
The main administrator always works and does not have any issues but any administrator we create loses its permissions after a few hours and we have to reapply them to have it lose it again after some time.
What could be happening? there is no policy nor anything to disable the administrator after some time etc.
What could be causing this? Its really annoying.

UPDATE:
There is a Windows audit log number 4733 that is saying that the user was removed from Local Admin group. Why? I can't see the reason there but the log is showing Windows is removing the user from the group by itself.

Thanks,
Teo

windows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

Might check;
whoami /groups
also check the user's UAC settings

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
Do you mean you create a common user and add the user to the administrator group then the user will be removed from the group?
Or you delegated the administrative permission to the users, then the permission will be lost?
For the first situation, it is suggested to check if there are restricted group policy for the administrator group?
You can check policies by run command: gpresult /h c:\report.html.

Best Regards,

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We create a new user, set him as member of Domain admins group, Local admin groups and after a few hours, the permissions are revoked by itself.
No group policy.
I did have a user in the restricted group as an admin but removed the user completely and refreshed the group policy but still the issue persist.
No matter which user I create as another admin, after a few hours the user loses permission as Administrator by itself.
Never seen this issue before. Don't know what to do.

0 Votes 0 ·

Hi,
To narrow down the issue, please confirm the following information:
If possible, would you please share a screenshot of the event 4733?
Just to confirm if there are other unexpected policies, run the command: gpresult /h report.html
Confirm if there are any schedule task or scripts are running.

Best Regards,

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered TeofiloHomsany-8813 commented

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Nothing so far, keep creating an admin user and it loses its permissions by itself and is no longer admin nor can connect through RDP to the server.
I have to reapply the permissions as member of the admin group for it to connect again but then again it gets removed from the group by itself.

0 Votes 0 ·
TeofiloHomsany-8813 avatar image
0 Votes"
TeofiloHomsany-8813 answered

Looking at logs I am seeing that the user account keeps getting removed from local security policy by iteself.
Log with ID 4733.
Dont know why the server is removing that accoun permissions but I see it now in the logs.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

Something here may help.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733
The subject should tell you who has made the request.

--please don't forget to upvote and Accept as answer if the reply is helpful--






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.