User Added to Security-Enabled Group During Windows Updates

JC34209324 51 Reputation points
2021-09-21T16:25:06.66+00:00

Hello, I've upgraded the OS on two VMs twice; once from Server 2008 to Server 2012 and another from Server 2012 to Server 2016. Following the OS upgrade, I've run Windows Updates to connect to Microsoft to patch the systems. When I've done this, there's an alarm triggered based on the event below.

I've had this happen on both servers during patching after the OS upgrades. Is this normal and what during Windows Updates causes SERVERNAME$ to be added to the local administrators group on the servers? Is there a specific process that performs this?

Application: microsoft-windows-security-auditing

Message: A member was added to a security-enabled local group.

Group Name: administrators

Source User: SERVERNAME$

Thank you!

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,639 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,933 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,701 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,296 Reputation points
    2021-09-22T07:32:07.363+00:00

    Hello @JC34209324,

    No need to be alarmed. This doesn't mean that SERVERNAME$ was added to Administrators group, but instead that SERVERNAME$ was the source that made the change. This is some default behavior in the Security and Audit events. the behavior describes an inconsistency (still not explained) where the SERVERNAME is used instead of USERNAME\USER format.

    There is a previous thread that describes this in a different scenario (using Exchange Management Console) but it applies to other aspects of the Event logging.

    https://social.technet.microsoft.com/Forums/exchange/en-US/c420673b-2c63-4b46-ac7d-62120f93c96d/exchange-2010-security-events-contain-servername-as-user-only?forum=exchangesvrsecuremessaginglegacy

    Hope this resolves your query,
    Best regards,


    --If the the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments