It appears during the early hours of the morning at the weekend, the Enterprise Admins group was removed from the Built-in Administrators group of a child domain with event ID 4733 being generated.
There apepar to be no user login event generated around this time. I have tracked down the DC that apparently made the change, but can find no obvious reason as to why this would happen.
I am currently running various AV and malware checks, but just wondered if anyone had experienced this before?
I can obviously now put the group back, but without knowing the cause, can't gurantee it won't happen again.
I've not seen that before, but I'd certainly recommend changing all domain admin passwords immediately just to be safe.
There are currently 1 users browsing this thread. (0 members and 1 guests)