Change to Built-in Admins
It appears during the early hours of the morning at the weekend, the Enterprise Admins group was removed from the Built-in Administrators group of a child domain with event ID 4733 being generated.
There apepar to be no user login event generated around this time. I have tracked down the DC that apparently made the change, but can find no obvious reason as to why this would happen.
I am currently running various AV and malware checks, but just wondered if anyone had experienced this before?
I can obviously now put the group back, but without knowing the cause, can't gurantee it won't happen again.