4 Replies Latest reply on Aug 25, 2015 10:45 AM by the_chad

    group changed "builtin\administrators" security enabled local group



      I'm fairly new to LEM, loving it so far!  Since I had set it up, the following alert "group changed "builtin\administrators" security enabled local group at" has been triggering every 15 - 20 minutes.  The Event name in the Console is "ChangeGroupAttribute".  This I suspect is a GPO we have that adds a couple service accounts to the local admins group on the member server.  What I would like to do is change the Rule to exclude Source Accounts with "$" in them rather that disable the rule all together.  However I don't know which rule is triggering the alert   Any ideas?