Hello,
I've recently inherited rolling out my company's imaged laptops. All of our PCs/laptops have SEM installed. Recently I have deployed two Lenovo ThinkPad laptops that are sending us reports and we are unsure what is causing it and/or how to fix it. The alert summary states: member "pcname\lenovo_tmp_*****" added to group "builtin\administrators" with the Modified by being the PC name and then immediately (~2 seconds later) reporting that it's been removed from the aforementioned group. We have the same process of deploying PCs that we do for laptops, the only difference being we install Symantec Endpoint Encryption on all of our laptops. None of our PCs report this event so my thought is that it is most likely related to the encryption in some form as it also only reports when the user arrives in the morning. There is a local admin user we use for the image that we remove from the administrators group after joining the domain but this is done prior to installing SolarWinds.
Has anyone come across this or know what's causing the event so that we can avoid clogging our alerts and change management logs?