Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

admin password being reset

Status
Not open for further replies.
sqw

sqw

Technical User
Mar 28, 2002
61
GB
Hi
We have had a problem were 3 of our customers admin passwords have been changed by someone in the past 5 days. Even though all sites have got complex passwords and one of has the admin account renamed to something else. It is definatly not some one in our company doing it. If I check the event log there is event 627 in there but nothing else but there seems to be alot of the log missing. We have virus checked all server and they are all clean and are running sophos with the latest updates. Please can you help us understand what is happening here as it seems hard to believe a hacker could break into 3 servers that have the complex passwords.
Thanks
 
Sort by date Sort by votes
Anything is possible. I would diable or rename the "administrator" account to something else. You can do this through group policy.

I would also recommend downloading a free 30 day trial of eventmiester



This program can be setup to alert you of any event id you setup.

So if it see event id 123 it will email you. LIVE.

Then you can be proactive and see who is logged on the server and see what is going on.
 
Upvote 0 Downvote
As per the above, you should also ensure that auditing is enabled on account objects. From there you will be able to check the security event log for any modifications to the Adminsitrator account
 
Upvote 0 Downvote
we have now turned auditing on in an attempt to find out the cause. Coiuld it be a virus or hacker?
 
Upvote 0 Downvote
It could be then again it could be an internal issue, checking the security logs daily for any suspicious activity is a good start. You may want also check firewall logs to check on any possible intrusions.
 
Upvote 0 Downvote
Provided their is no spyware on the system, the first thing I would do is check to see who else on the network has admin rights and remove their access. Then rename the admin ID and reset the password.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
334
ADB100
ADB100
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
923
goombawaho
goombawaho
Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
269
strongm
strongm
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
292
penguinroundup
penguinroundup
shmoes
  • Locked
  • Question
Delegating file admin permission
Replies
3
Views
268
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top