Hi,
We had a VERY weird thing happen this morning.It appears that the domain administrator ( administrator) password was somehow changed. I have no idea what the new password is . no intrusion was detected and I was the only one in the office at the time. I went to rdp into a server and for the message that the system could not log me in due to incorrect username or password.The consoles for one of the domain controllers was already up logged in and I found this in the security event log:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 10/20/2010
Time: 8:04:14 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: xxxxDC01
Description:
User Account Changed:
Target Account Name: Administrator
Target Domain: NORTHVILLE
Target Account ID: NORTH\Administrator
Caller User Name: xxxxDC01$
Caller Domain: NORTHVILLE
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 10/20/2010 8:04:14 AM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
I have a backup enterprise admin account and a backup domain admin account. I could use to change the password back to something I would know.
I dont know what ramifications I would have changinge it without knowing the old on.
any help would be appreciate any help
Jeff
We had a VERY weird thing happen this morning.It appears that the domain administrator ( administrator) password was somehow changed. I have no idea what the new password is . no intrusion was detected and I was the only one in the office at the time. I went to rdp into a server and for the message that the system could not log me in due to incorrect username or password.The consoles for one of the domain controllers was already up logged in and I found this in the security event log:
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 10/20/2010
Time: 8:04:14 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: xxxxDC01
Description:
User Account Changed:
Target Account Name: Administrator
Target Domain: NORTHVILLE
Target Account ID: NORTH\Administrator
Caller User Name: xxxxDC01$
Caller Domain: NORTHVILLE
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 10/20/2010 8:04:14 AM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -
I have a backup enterprise admin account and a backup domain admin account. I could use to change the password back to something I would know.
I dont know what ramifications I would have changinge it without knowing the old on.
any help would be appreciate any help
Jeff
