Mysterious Domain Admin Password Change

[Dinkytoy]

Hi I'm looking for some advice.

This morning we've all had a bit of a panic. Our Domain Admin account had it's password changed at some point overnight. No-one wth access has admitted any responsibility and we've had to go through a recovery process to get up and running again.

That done and password changed we've started to try and find out what actually happened and who changed it and we are certainly not ruling out a malicious user.

The problem I have is trying to track it down, our DC event logs don't seem to point to anything. Is there any events or actions I can look for to pin point what happened?

Any advice or pointers welcome.

thanks.

 

[GeekITupSum]

If you had account auditing turned on you will be able to see events like this, including time/date..etc

You can enable this in your Domain Security Policy for future tracking. As far as trying to find a history of this being changed without some type of auditing of these events i wouldnt think there would be a way to find out who/what/where/when. Time to tighten up security

 

[Davetoo]

Your security events should show the password change event.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[58sniper]

As Davetoo said, it should be in the log as to when it happened. Unless some malicious person cleared the logs.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[PScottC]

This begs another question: Why are you using your original Domain Admin account instead of a secondary account with the same privileges? You should not have to restore just because the password is changed.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[Dinkytoy]

Ok some info. I've found a password change event in the logs.

I'm going to take some abuse for this from you guys and internally I know.

It occurred shortly after I installed gpedit on the box and possibily co-incided with me stepping away from my machine for two minutes to move my car. I'm unsure if it was locked or not (normally is) so now I'm super paranoid of two people who had potential access.

Now that said, I continued to work un-interupted on the box for a further hour or so (creating a restricted access GPO for a guest user) and we saw no errors until about 8 hours later.

I was sure I had created a backup/alternative admin account (it is there now btw) but when I checked no sign of it so I figured I just thought I'd done it.

We are a small company with only about 30 AD users so security hasn't really ever been looked at in a serious way, that I think will now change.

 

[Davetoo]

No abuse from us...in a company that small there is a certain amount of trust that is expected of everyone. Unfortunately clearly in your case that trust has been lost because someone stepped up and changed the password. It makes sense that it took 8 hours to notice because the account would slowly get locked out as you tried to access resources under the logged in account that had the wrong password.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!