Windows 2019 Standard new administrator losing roles

Teofilo Homsany 26 Reputation points
2021-06-26T12:20:44.907+00:00

Hi guys good morning,
I created a second domain administrator user on my Windows Server 2019 Standard and I am having issues that the user loses its administrative privileges after a few hours by itself.
Nothing is done, the server is not restarted but that adminstrator just becomes a regular user by itself so I can no longer go in as administrator.
The main administrator always works and does not have any issues but any administrator we create loses its permissions after a few hours and we have to reapply them to have it lose it again after some time.
What could be happening? there is no policy nor anything to disable the administrator after some time etc.
What could be causing this? Its really annoying.

UPDATE:
There is a Windows audit log number 4733 that is saying that the user was removed from Local Admin group. Why? I can't see the reason there but the log is showing Windows is removing the user from the group by itself.

Thanks,
Teo

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
{count} votes

5 answers

Sort by: Most helpful
  1. Dave Patrick 426.2K Reputation points MVP
    2021-06-26T12:39:24.62+00:00

    Might check;
    whoami /groups
    also check the user's UAC settings

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

  2. Fan Fan 15,301 Reputation points Microsoft Vendor
    2021-06-28T01:53:15.733+00:00

    Hi,
    Do you mean you create a common user and add the user to the administrator group then the user will be removed from the group?
    Or you delegated the administrative permission to the users, then the permission will be lost?
    For the first situation, it is suggested to check if there are restricted group policy for the administrator group?
    You can check policies by run command: gpresult /h c:\report.html.

    Best Regards,


  3. Dave Patrick 426.2K Reputation points MVP
    2021-06-30T11:12:59.793+00:00

    Just checking if there's any progress or updates?

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  4. Teofilo Homsany 26 Reputation points
    2021-07-01T14:11:45.68+00:00

    Looking at logs I am seeing that the user account keeps getting removed from local security policy by iteself.
    Log with ID 4733.
    Dont know why the server is removing that accoun permissions but I see it now in the logs.

    0 comments No comments

  5. Dave Patrick 426.2K Reputation points MVP
    2021-07-01T15:52:59.677+00:00

    Something here may help.
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733
    The subject should tell you who has made the request.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments