Issues with Admon detecting "user" removed

[kami.mcleod]

Hi Team

I am trying to get this plugin working for my environment but over 2000 tickets logged I'm hitting a bit of a wall.
The addon is constantly 'detecting' that accounts are being removed from the administrator group (and logging a ticket for each account... which adds up!).

It is detecting EVERY administrator - our domain admins group, local user accounts, the local Administrator account, are all being detected as being 'removed' from the local administrators setup. It so far doesn't look to have detected any as being added, but with the amount of tickets being logged I cannot confirm this fully.

I've modified the plugin to only alert us on adding new Administrators, but would like to eventually be alerted on both cases

[kami.mcleod]

Hi All

As an update to this, since changing the system to only alert on new user accounts, it appears the script is instead now just updating the SQL DB with all the 'newly scanned' accounts - I added a test admin account to one of my systems, and it has just added it to the list of "these are the local admins" instead of alerting that a new admin has been added.

[Cubert]

I will look into some of this next week once I get back from ITNation Explore. The monitor is a raw SQL internal monitor I believe if memory serves me well. I will need to have a peek at how it compares current to new?

[kami.mcleod]

Hi

Any chance of a look in at this one? We still cannot enable "remove from group" as it just spams our ticketing system!
Thanks

[TClayton]

Confirmed this happend to us this week.
Added the plugin, then enabled it on the clients I wanted.
Day later 1000 tickets about accounts being removed.
I unchecked monitor for any removals from admin group and also unchecked create a ticket, for now.