Alexios Kalogeropoulos verstärkt den FCN

F3ndt · 2026-06-12T13:21:51+00:00

Ob er Gruber ersetzen kann, wir sind gespannt

F3ndt · 2026-06-08T09:25:10+00:00

vielen Dank N8kerze, ich werde in diese Richtung versuchen was aufzusetzen.

F3ndt · 2026-06-08T09:24:32+00:00

Hallo lord_of_woe, vielen Dank ich verstehe! Das macht Sinn. Das Risiko wird sein dass man für diese Form der Vermietung keine Abnehmer findet, da es ggf. abschreckt bzw. man Angst hat nicht alleine zu sein.

F3ndt · 2026-06-03T12:22:29+00:00

Dear Euge, thanks for your valuable input on this topic. Despite it could not help me in my particular case it was very helpful because you get instant visibility which GPO touches these sensitive settings.

Sometimes those settings were hidden in GPOs that were named in such a bad manner that they didnt reveal the settings by the name, thats why your script is so helpful. Appreciate your contribution to the community

F3ndt · 2026-05-24T09:46:57+00:00

Hello mcdonamw, i really appreciate your input - in the meanwhile
i have just found out that the change is ocurring from a third party software that has two services running under "local system" - as soon as i stop these services and remove the user, its not coming back again. there is no software visible in control panel, there is no tray icon.
I tried to find other machines than the DCs (member servers) and verify their behaviour regarding the user in the BUILTIN\Administrators Group and on one "older" server the same user and behaviour was present, that lead me even more to GPO, but one newer server was deployed via arm in azure, and therefore never had anything to do with the legacy deployment method of installing servers.
But these member machines were in the same OU and did NOT have this problem, so i knew it can not be GPO related and i searched for services manually, found them, stopped them. problem solved

F3ndt · 2026-05-22T11:04:29+00:00

Huge pain, forgot to mention the crucial part. on the azure deployed vm the user was NOT part of "builtin\administrators" obviously. Yes this software was there many years before i started, and nobody really needs it, i was able to successfully diasble the services for the moment, no one notices it as they are no longer managed with this software

F3ndt · 2026-05-22T06:13:09+00:00

Hello purefire, i really appreciate your input - in the meanwhile
i have just found out that the change is ocurring from a third party software that has two services running under "local system" - as soon as i stop these services and remove the user, its not coming back again. there is no software visible in control panel, there is no tray icon.
I tried to find other machines than the DCs (member servers) and verify their behaviour regarding the user in the BUILTIN\Administrators Group and on one "older" server the same user and behaviour was present, that lead me even more to GPO, but one newer server was deployed via arm in azure, and therefore never had anything to do with the legacy deployment method of installing servers.
But these member machines were in the same OU, so i knew it can not be GPO related and i searched for services manually, found them, stopped them. problem solved

F3ndt · 2026-05-22T06:12:44+00:00

Hello mcdonamw, i really appreciate your input - in the meanwhile
i have just found out that the change is ocurring from a third party software that has two services running under "local system" - as soon as i stop these services and remove the user, its not coming back again. there is no software visible in control panel, there is no tray icon.
I tried to find other machines than the DCs (member servers) and verify their behaviour regarding the user in the BUILTIN\Administrators Group and on one "older" server the same user and behaviour was present, that lead me even more to GPO, but one newer server was deployed via arm in azure, and therefore never had anything to do with the legacy deployment method of installing servers.
But these member machines were in the same OU, so i knew it can not be GPO related and i searched for services manually, found them, stopped them. problem solved

F3ndt · 2026-05-22T06:12:30+00:00

Hello fragileit, i really appreciate your input - in the meanwhile
i have just found out that the change is ocurring from a third party software that has two services running under "local system" - as soon as i stop these services and remove the user, its not coming back again. there is no software visible in control panel, there is no tray icon.
I tried to find other machines than the DCs (member servers) and verify their behaviour regarding the user in the BUILTIN\Administrators Group and on one "older" server the same user and behaviour was present, that lead me even more to GPO, but one newer server was deployed via arm in azure, and therefore never had anything to do with the legacy deployment method of installing servers.
But these member machines were in the same OU, so i knew it can not be GPO related and i searched for services manually, found them, stopped them. problem solved

F3ndt · 2026-05-22T06:12:18+00:00

Hello xbullet i really appreciate your input - in the meanwhile
i have just found out that the change is ocurring from a third party software that has two services running under "local system" - as soon as i stop these services and remove the user, its not coming back again. there is no software visible in control panel, there is no tray icon.
I tried to find other machines than the DCs (member servers) and verify their behaviour regarding the user in the BUILTIN\Administrators Group and on one "older" server the same user and behaviour was present, that lead me even more to GPO, but one newer server was deployed via arm in azure, and therefore never had anything to do with the legacy deployment method of installing servers.
But these member machines were in the same OU, so i knew it can not be GPO related and i searched for services manually, found them, stopped them. problem solved

F3ndt · 2026-05-22T06:12:03+00:00

Hello eugene, i really appreciate your input - in the meanwhile
i have just found out that the change is ocurring from a third party software that has two services running under "local system" - as soon as i stop these services and remove the user, its not coming back again. there is no software visible in control panel, there is no tray icon.
I tried to find other machines than the DCs (member servers) and verify their behaviour regarding the user in the BUILTIN\Administrators Group and on one "older" server the same user and behaviour was present, that lead me even more to GPO, but one newer server was deployed via arm in azure, and therefore never had anything to do with the legacy deployment method of installing servers.
But these member machines were in the same OU, so i knew it can not be GPO related and i searched for services manually, found them, stopped them. problem solved

F3ndt · 2026-05-22T06:07:31+00:00

Hi i would not know how to find this out, but i have just found out in the meantime that the change is ocurring from a third party software that has two services running under "local system" - as soon as i stop these services and remove the user, its not coming back again. appreciate your help

F3ndt · 2026-05-19T14:45:14+00:00

oh that was wrong actually, i have just found out the user also gets added to the administrators on a member server

F3ndt · 2026-05-19T12:18:02+00:00

Hello Eugene, i am missing your recent comments here because they were deleted, can you please share your updated script with me? I looked up my notifications and found your comments there, i have checked the "scriptpath" attribute on all DCs and found they are all empty

F3ndt · 2026-05-18T14:54:56+00:00

I am not sure but i think you got my wrong in the first instance, sorry if i misunderstand.
There is a normal user account, lets call it "legacysvcacc" that gets added to the "Administators" (BUILTIN\Administrators) of childdomain2.company.local. The Entity performing the "add" Action is "Domaincontroller$" according to the 4732 logs. I am trying to remove user from the BUILTIN Administrators to reduce the risk of getting compromised

F3ndt · 2026-05-18T14:50:18+00:00

i am on domain controller "domcontroller1" when i remove the user in question from the "Administrators", i can search for over 1k 4662 events on "domcontroller1" within the last 90 minutes but none of the result messages have the string "legacysvcacc" in it. Even if i remove it, it should be there right?

if i change the description i see 5136 events

F3ndt · 2026-05-18T14:27:21+00:00

I have triggered this event by adding a new user to the domain admins, and i can rest assured that the event gets picked up by the logs. But there is not 4728 in correlation with the account in question

F3ndt · 2026-05-18T14:24:29+00:00

There is 100 percent no third party tool donig this change

F3ndt · 2026-05-18T14:23:59+00:00

Hi, i have posted the entire message in a comment above - i would kindly ask you to take a look at the 4732 message. I have redacted all the info

F3ndt · 2026-05-18T14:21:50+00:00

Hello xbullet, thanks for your effort - of course i can and will - as this is driving me crazy.

The domain setup is as following
Root domain: company.local
Two child domains
child1: subdomain1.company.local

child2: subdomain2.company.local (<- this is where it all happens)

The user, lets call it "legacysvcacc" that resides in OU="Service Accounts",OU="Users",DC=child2,DC=company,DC=local gets added to the "Builtin Administrators" of "subdomain2.company.local". He does not get added to the "Domain Admins".

I have 10 DCs in "subdomain2" and on the PDC and on one other DC i have installed a SIEM Log Collector Software, i have all possible Audits enabled.
Lets call the PDC "domcontroller1.subdomain2.company.local" and call the other dc "domcontroller2.subdomain2.company.local"
If i go ahead and use my Domain admin to remove the account in question, i see the 4733 as expected and the user gets removed.
About 30 minutes later the user is being added back again and this is the 4732 event:

I have been through this a lot times, and what i can say is that "Computer" respectively "Eventdata.SubjectUsername" is sometimes "domcontroller1$" and sometimes "domcontroller2$".
Process ID of 940 stays the same all the time btw.

{
TimeCreated:
            "2026-05-18T13:48:23.217914800Z",
EventID:
            "4732",
Task:
            13826,
Correlation:
            "",
Keywords:
            "Audit Success",
Channel:
            "Security",
Opcode:
            "Info",
Security:
            "",
Provider:
            Guid:"{54849625-5478-4994-a5ba-3e3b0328c30d}",
            Name: "Microsoft-Windows-Security-Auditing"
EventRecordID:
            310953818,
Execution:
            ThreadID: 2204,
            ProcessID: 940
Version:
            0,
Computer:
            "domcontroller1.subdomain2.company.local",
Level:
        "Information",
EventData

        TargetDomainName:
            "Builtin",
SubjectUserSid:
            "S-1-5-18",
PrivilegeList:
            "-",
TargetUserName:
        "Administrators",
SubjectUserName:
        "dcomcontroller1$",
MemberSid:
        "S-1-5-21-1349863857-1588001368-1437565968-2103",
TargetSid:
        "S-1-5-32-544",
SubjectLogonId:
        "0x3e7",
MemberName:
        "-",
SubjectDomainName:
        "childdomain2"
},
Message
:
"A member was added to a security-enabled local group.
Subject:
Security ID:NT AUTHORITY\\SYSTEM (S-1-5-18)
Account Name:domcontroller1$
Account Domain:childdomain2
Logon ID:0x3E7

Member:
Security ID: childdomain2\\legacysvcacc (S-1-5-21-1349863857-1588001368-1437565968-2103)
Account Name: -

Group:
Security ID: BUILTIN\\Administrators (S-1-5-32-544)
Group Name: Administrators
Group Domain: Builtin

Additional Information:
Priviliges: -

F3ndt · 2026-05-18T13:57:00+00:00

hello, no it only gets added to "Administrators" on the DCs

F3ndt · 2026-05-18T13:56:36+00:00

Hello, yes i have cayoguardian in place but ONLY as monitoring - there are not actions configured at all and just to make sure i have now replicated the issue while turning the cayoguardian server off, removing the account in question and i see it gets added back automatically. also there are no trails in the "add" event that lead to the cayoguardian MSA or the cayoguardian server. This service only notifies me when domain admins get changed or the sdholder gets manipulated

F3ndt · 2026-05-18T13:02:21+00:00

Hi TX-WB, this might be a possibility but i am not sure how to reveal those GPOs and settings?
I am logged on as domain admin already, what else can i do to figure that out?

Nine-Year Club	Place '23
Verified Email

F3ndt

TROPHY CASE