Hello all This action happened every time at 06:00 AM on SharePoint Search Server and I dont know why this event happened by SP.Farm domain user (Administrator user on the server). Anyone can tell me why this action happened on the system?
Event description:-
A member was added to a security-enabled local group
<13>Jan 07 06:11:06 DOMAIN_SPSEARCH AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.0.41 Source=Microsoft-Windows-Security-Auditing Computer=SPSearch.domain.net OriginatingComputer=X.X.X.X User= Domain= EventID=4732 EventIDCode=4732 EventType=8 EventCategory=13826 RecordNumber=279154794 TimeGenerated=1673064664 TimeWritten=1673064664 Level=Log Always Keywords=Audit Success Task=SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP Opcode=Info Message=A member was added to a security-enabled local group. Subject: Security ID: DOMAIN\SP.Farm Account Name: SP.Farm Account Domain: DOmain Logon ID: 0xAF63AFAA7 Member: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: - Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Additional Information: Privileges: -
A member was removed from a security-enabled local group
<13>Jan 07 06:11:06 DOMAIN_SPSEARCH AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.0.41 Source=Microsoft-Windows-Security-Auditing Computer=SPSearch.DOMAIN.net OriginatingComputer=X.X.X.X User= Domain= EventID=4733 EventIDCode=4733 EventType=8 EventCategory=13826 RecordNumber=279154795 TimeGenerated=1673064664 TimeWritten=1673064664 Level=Log Always Keywords=Audit Success Task=SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP Opcode=Info Message=A member was removed from a security-enabled local group. Subject: Security ID: DOMAIN\SP.Farm Account Name: SP.Farm Account Domain: DOMAIN Logon ID: 0xAF63AFAA7 Member: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: - Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Additional Information: Privileges:
