Have I been attacked/Infected?

[doonage]

I not sure where to start. I administer a SBS2003 domain with about 65 usrs. Over the last week, about 10 of my user have lost all access to their machines. They can logon but thats about it. They aren't not able to Read/Write to any folder that they used to have access to including the "My Documents" folder. When I logon to their pc's usng a domain admin acount, I to have lost all access to the same files, domain admins is no longer a member of the local admins group. The only way I seem to be able to resolve this is to logon as a local admin and re-assign these permissions. Now this has resolved the issue on most pc but some users experience the same problems after every reboot. All the pc's are XP sp2.I have two questions.

1. Is a script causing this? Is some script kiddie have some fun at my expense?
2. Is there a script I can run that will return all the permission to what they should be.

 

[burtsbees]

System Restore back to before this happened, but back up the system including the registry before you do, and install the backup onto a junk machine and pick it apart later, like run HijackThis! in Safe Mode.

Burt

 

[Motiv]

I would use some sysinternals tools like autoruns/process explorer and see whats going on, on the workstations.

Run a netstat and also look at the services running. Was there any other users/groups in the local Administrators group?

Check out the Scheduled Tasks on each box too and see if you see anything suspicious.