• State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 32 subscribers
  • Views 1139 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Can NT AUTHORITY\SYSTEM User delete some applications or alert actions?

erdinc.erdal

Hi Everyone;

I came across a strange situation. One of my customers notice some applications deleted by NT AUTHORITY\SYSTEM user, we can see it in audit events like below. Also I suspect this user might delete some of the alert actions too (there is no audit about actions). Is there anyone have any idea about this?

Thanks

172147 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application McAfee Web Gateway (Linux and Unix) on node Unknown 2170 2170 N

172169 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SharePoint Server 2010 on node Unknown 460 460 N

172171 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SharePoint Server 2010 on node Unknown 462 462 N

172176 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SharePoint Server 2013 on node Unknown 2127 2127 N

172178 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SharePoint Server 2013 on node Unknown 2128 2128 N

172179 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SolarWinds Polling Engine Services on node Unknown 2337 2337 N

172180 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 2337 2337 N

172182 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 2246 2246 N

172184 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 2234 2234 N

190486 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 1848 1848 N

190487 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Microsoft Exchange on node Unknown 1848 1848 N

190488 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Services Exchange MBX on node Unknown 1848 1848 N

190489 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Mailbox Services on node Unknown 1848 1848 N

190491 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 1847 1847 N

190492 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Microsoft Exchange on node Unknown 1847 1847 N

190493 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Services Exchange MBX on node Unknown 1847 1847 N

190494 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Mailbox Services on node Unknown 1847 1847 N

190496 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Exchange 2010 Client Access Role Counters (Advanced) on node Unknown 1849 1849 N

190497 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Services Exchange on node Unknown 1849 1849 N

190498 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application CAS&HUB Services on node Unknown 1849 1849 N

192871 1/2/2019 7:47 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SolarWinds Manager Services on node Unknown 2380 2380 N

192872 1/2/2019 7:47 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Microsoft IIS on node Unknown 2380 2380 N

192873 1/2/2019 7:47 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SAP URL (http-https) on node Unknown 2380 2380 N

  • 0

    Never run into that before, but presumably the system account has been added to the orion users list and there may be some kind of job set up to delete alerts based on some kind of rules.  I've done similar things when helping to automate certain admin processes for people but I always prefer to just set up a service account in AD rather than the system account.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.