Active Directory | Repeated Default Administrator Account Enabled Alerts

Overview 💥

The Default Administrator Account Enabled actionable alert triggers when Liongard detects that the built-in Active Directory Administrator account (RID-500) is enabled during inspection. Because this account possesses unrestricted domain privileges and is commonly targeted during attacks, Liongard generates an alert whenever it is detected as enabled.

Example:

In some environments, partners may notice the alert repeatedly reopening even when:

The Administrator account is confirmed disabled
No configuration changes were made
The alert was previously acknowledged or resolved

This article explains why repeated alerts occur, how detection works, and how to permanently resolve unintended alert behavior.

How Liongard Detects This Condition 🤔

The alert evaluates the metric:

DefaultAdministratorEnabled

This metric checks only the built-in Administrator account, identified by:

Security Identifier ending in -500
Default domain administrative account

Liongard determines status based on the Active Directory attribute:

userAccountControl

Specifically:

Account State	Result
ACCOUNTDISABLE flag present	False
ACCOUNT enabled	True
Inspection unavailable	Null

Root Cause 🌟

Repeated alerts are usually not caused by the account being enabled. Instead, they occur when Liongard inspections temporarily return a null metric value, which appears as a state change when alert rules use the Changed operator.

Example:

Common causes include:

Domain Controller query interruption
Active Directory replication delay
Agent communication timeout
Inspection parsing interruption
Cached inspection inconsistencies

When the next inspection succeeds:

null → false/true

Liongard interprets this as a change and reopens the alert.

Why Alerts Reopen After Resolution 🧐

Actionable Alerts are inspection-state based, not event-based.

If the alert rule uses:

Operator: Changed

ANY transition triggers a new alert:

null → false
false → true
null → true

Even when the Administrator account never changed.

Expected vs Unexpected Behavior 🧭

✅ Expected Scenarios

Alerts may be intentional when:

Administrator account is used as break-glass access
Legacy applications require RID-500 account
Security policy permits enabled fallback admin

⚠️ Unexpected Scenarios

Investigation is required if:

Account was recently enabled
Audit logs show Event ID 4722
Unauthorized privilege escalation suspected

Steps to Resolve 🧑‍💻

1️⃣ Confirm Administrator Account Status

Run on a Domain Controller:

Get-ADUser -Identity "Administrator" -Properties Enabled

Expected secure state:

Enabled : False/true

2️⃣ Validate Security Audit Logs (Optional)

Check enable/disable activity:

Get-WinEvent -FilterHashtable @{
LogName='Security';
ID=4722,4725
}

Event ID	Meaning
4722	Account Enabled
4725	Account Disabled

3️⃣ Verify Metric Output in Liongard

Navigate:

Admin → Inspectors → Active Directory → Select your Active Directory System → Data Print Explorer

Search:

DefaultAdministratorEnabled

Interpretation:

Result	Meaning
False	Expected
True	Account enabled
Null	Likely alert trigger source

4️⃣ Correct Alert Rule Configuration ⭐ (Most Important)

Navigate:

Admin → Actionable Alerts → Rules

If rule uses:

Operator: Changed

Clone and update to:

Operator: =
Threshold: True

✅ Alert now triggers only when account is actually enabled

After cloning:

Apply updated rule
Disable original rule

5️⃣ Run Inspector in Debug + Clear Cache Mode

This removes stale inspection results and stabilizes metric output.

Verify consistent results across multiple inspections.

6️⃣ Validate Liongard Agent Health

Confirm:

Admin → Agents → Select your agent

Agent Online
Recent heartbeat present
No inspection failures

Server validation:

Get-Service LiongardAgent

Expected:

Status : Running

When to Contact Liongard Support 🦁

Contact support if:

Administrator account is disabled
No enable audit events exist
Metric repeatedly returns null
Alerts persist after rule correction

Provide:

PowerShell validation output
Event Viewer logs
Data Print metric value
Alert configuration screenshot

Security Best Practice 🔐

Microsoft security guidance recommends:

✅ Disable built-in Administrator when possible
✅ Rename RID-500 account
✅ Use monitored emergency access accounts instead

Summary 🤩

Repeated Default Administrator alerts are typically caused by:

✅ Metric state transitions
✅ Temporary inspection null values
✅ Use of the Changed alert operator

Not actual account changes.

Recommended resolution:

Validate account state
Review metric output
Replace Changed with = True
Clear inspection cache
Confirm agent health

This ensures alerts trigger only for genuine security risk conditions.