Skip to main content

Active Directory | Repeated Default Administrator Account Enabled Alerts

Overview 💥

The Default Administrator Account Enabled actionable alert triggers when Liongard detects that the built-in Active Directory Administrator account (RID-500) is enabled during inspection. Because this account possesses unrestricted domain privileges and is commonly targeted during attacks, Liongard generates an alert whenever it is detected as enabled.

Example:

In some environments, partners may notice the alert repeatedly reopening even when:

  • The Administrator account is confirmed disabled

  • No configuration changes were made

  • The alert was previously acknowledged or resolved

This article explains why repeated alerts occur, how detection works, and how to permanently resolve unintended alert behavior.

How Liongard Detects This Condition 🤔

The alert evaluates the metric:

DefaultAdministratorEnabled

This metric checks only the built-in Administrator account, identified by:

  • Security Identifier ending in -500

  • Default domain administrative account

Liongard determines status based on the Active Directory attribute:

userAccountControl

Specifically:

Account State

Result

ACCOUNTDISABLE flag present

False

ACCOUNT enabled

True

Inspection unavailable

Null

Root Cause 🌟

Repeated alerts are usually not caused by the account being enabled. Instead, they occur when Liongard inspections temporarily return a null metric value, which appears as a state change when alert rules use the Changed operator.

Example:

Common causes include:

  • Domain Controller query interruption

  • Active Directory replication delay

  • Agent communication timeout

  • Inspection parsing interruption

  • Cached inspection inconsistencies

When the next inspection succeeds:

null → false/true

Liongard interprets this as a change and reopens the alert.

Why Alerts Reopen After Resolution 🧐

Actionable Alerts are inspection-state based, not event-based.

If the alert rule uses:

Operator: Changed

ANY transition triggers a new alert:

null → false
false → true
null → true

Even when the Administrator account never changed.

Expected vs Unexpected Behavior 🧭

✅ Expected Scenarios

Alerts may be intentional when:

  • Administrator account is used as break-glass access

  • Legacy applications require RID-500 account

  • Security policy permits enabled fallback admin

⚠️ Unexpected Scenarios

Investigation is required if:

  • Account was recently enabled

  • Audit logs show Event ID 4722

  • Unauthorized privilege escalation suspected

Steps to Resolve 🧑‍💻

1️⃣ Confirm Administrator Account Status

Run on a Domain Controller:

Get-ADUser -Identity "Administrator" -Properties Enabled

Expected secure state:

Enabled : False/true

2️⃣ Validate Security Audit Logs (Optional)

Check enable/disable activity:

Get-WinEvent -FilterHashtable @{
LogName='Security';
ID=4722,4725
}

Event ID

Meaning

4722

Account Enabled

4725

Account Disabled

3️⃣ Verify Metric Output in Liongard

Navigate:

Admin → Inspectors → Active Directory → Select your Active Directory System → Data Print Explorer

Search:

DefaultAdministratorEnabled

Interpretation:

Result

Meaning

False

Expected

True

Account enabled

Null

Likely alert trigger source

4️⃣ Correct Alert Rule Configuration ⭐ (Most Important)

Navigate:

Admin → Actionable Alerts → Rules

If rule uses:

Operator: Changed

Clone and update to:

Operator: =
Threshold: True

✅ Alert now triggers only when account is actually enabled

After cloning:

  • Apply updated rule

  • Disable original rule

5️⃣ Run Inspector in Debug + Clear Cache Mode

This removes stale inspection results and stabilizes metric output.

Verify consistent results across multiple inspections.

6️⃣ Validate Liongard Agent Health

Confirm:

Admin → Agents → Select your agent

  • Agent Online

  • Recent heartbeat present

  • No inspection failures

Server validation:

Get-Service LiongardAgent

Expected:

Status : Running

When to Contact Liongard Support 🦁

Contact support if:

  • Administrator account is disabled

  • No enable audit events exist

  • Metric repeatedly returns null

  • Alerts persist after rule correction

Provide:

  • PowerShell validation output

  • Event Viewer logs

  • Data Print metric value

  • Alert configuration screenshot

Security Best Practice 🔐

Microsoft security guidance recommends:

✅ Disable built-in Administrator when possible
✅ Rename RID-500 account
✅ Use monitored emergency access accounts instead

Summary 🤩

Repeated Default Administrator alerts are typically caused by:

✅ Metric state transitions
✅ Temporary inspection null values
✅ Use of the Changed alert operator

Not actual account changes.

Recommended resolution:

  • Validate account state

  • Review metric output

  • Replace Changed with = True

  • Clear inspection cache

  • Confirm agent health

This ensures alerts trigger only for genuine security risk conditions.

Did this answer your question?