Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Rouge User Account

Status
Not open for further replies.
dberg35

dberg35

IS-IT--Management
May 12, 2006
1,003
US
I just found a user account that was created with admin access is there a way to find out who did this and when?
 
Sort by date Sort by votes
Security logs should show it.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
Davetoo,
Thanks and I just looked and they do not go back to that time frame.
 
Upvote 0 Downvote
I'd change the password on the account and see if anyone is dumb enough to complain. I'd also remove them from the Admin groups...

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
..I'd also then keep an eye on the account and if it's changed again check the security logs to see who manipulated that account. Check after you change their access rights so you can get the event ID to look for (it escapes me right now).

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
That is the problem isn't I have no idea who created it. At that time the event logs were set to store only a small amount of data then rewrite, I have changed that and forced all to change passwords.
 
Upvote 0 Downvote
I just realised that the thread title is a typo - have been wondering what "Rouge" had to do with your problem...
 
Upvote 0 Downvote
Huh? You mean this isn't a cosmetic cover up? ;-)

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
...I have changed that and forced all to change passwords.
Click to expand...

You should change the password on the rogue user to deny him access. If the rogue user is forced to change it him/herself then all that will show in the security log is that the rogue user changed their password not who the rogue use is.

Also, did you follow Davetoo's other suggestion and remove the rogue user from the admin group?

Cheers.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
511
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
757
goombawaho
goombawaho
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
181
penguinroundup
penguinroundup
goombawaho
  • Locked
  • Question
How to open Change user role for user accounts wizard
Replies
2
Views
120
goombawaho
goombawaho
goombawaho
  • Locked
  • Question
Continuous RDP disconnection/reconnection for administrator user
Replies
5
Views
266
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top