Hacking attempt?

[kathanon]

Hi

I wonder if anyone can shed any light on this, I came in this week and checked the logs on the server to find that there had been 6 unsuccessful attempts to log in as administrator at the weekend. They were not internal. We always log off the DC when we finish working as administrator. We do have OWA but anyway no-one should be logging into that mailbox. We have a firewall and also require a Ctrl Alt Del to get to the logon screen. We have VNC, but you need a password to even connect and that only runs when the account is logged on. I am puzzled.

I have been meaning to rename the admin account but just haven't got around to it and didn't feel confident enough that there are no other vital services running under that. I will try it today though, and see if there are any failed logons overnight for that account.

Can anyone tell me, if I change it by right clicking on it in AD users and computers/users, will that also change it for any other uses, I noticed a setting in Domain Controller, local policy, so am not sure where and how to rename it.

Many thanks for any help


Kathy

 

[brontosaurus]

Hi Kathy, you can set this on the Default Domain Controllers policy instead.
If you were to set it at the Domain level, the new administrator name would flow down to all computer objects that are members of the domain...

 

[kathanon]

Thanks brontosaurus,

I have just done it and ran into a few problems, I made a new group policy, then edited it using computer configuration/windows settings/security settings/local policies/security options. I renamed the account, then tested it and logged on fine. After about 5 minutes, things started to crash on the network. I got error messages in the event viewer saying this

usernv event id 1000
Windows cannot obtain the domain controller name for your computer network return value (2146)

I went and re-edited the group policy and then unchecked the "define this policy setting"

Things seem back to normal now, except, of course, that I still have the name as administrator.

I was wondering if it was because it was taking a while to propagate to all the services etc.

Thanks

Kathy

 

[brontosaurus]

couple of questions:

How many DC's do you have?
You say you created a new policy, what container did you link it to?

 

[kathanon]

We only have one DC. I made the group policy by opening AD users and computers and right clicking at the domain level and going to the group policy tab in properties

What I have noticed is that it has been renamed on all the clients now. However, I have changed it back to administrator on the DC for the moment. I would still like to change it for security purposes though.

Thanks

Kathy

 

[brontosaurus]

so you applied the policy at the domain level, I guess? That's what i mentioned before, about all the computer members adopting the changed admin name if you do that. If you don't mind that, why not delete the policy you created, and just effect the change on the Default Domain Policy?

 

[kathanon]

It was more that the network more or less crashed and I got the error message that I mentioned above. That was what really worried me. Have you seen that before?

Maybe I will try it overnight and see what happens. Also whether the batch file for the backup will run.

Thanks for all the help

Kathy

 

[brontosaurus]

No, I've never seen that, very strange...
Please let me know how it goes if you decide to move forward.

 

[kathanon]

Yes, I will do

Thank you for all the help, it is really appreciated

Kathy

 

[bas95]

Kathanon,

In this tread I saw you are strubbling with the following error message:

usernv event id 1000
Windows cannot obtain the domain controller name for your computer network return value (2146)

Did you found a solution for this problem...

I am very interested because I have the same problem at this moment (occurs 3 times last month)

Thanks for you help (if available)

Regards,

Bastiaan van Utrecht
Shimano