OK. A little history. I'm in a corporate environment with XP workstations. I came back to my desk yesterday after lunch to find my desktop wallpaper had been changed to the Internet Explorer Wallpaper, which was a male underwear model. I'm a guy. I'm straight. This is obviously a prank being played. I'm a good sport. I know when I've been got. I thought it mildly funny. I figured I must have forgotten to lock my workstation before I left for lunch and somebody decided to have a little fun. No big deal.
So today after I get back from lunch I find the same thing. Different picture but the same theme. I'm less amused this time. The first day it was funny. The second time begins to become irritating. And I KNOW I didn't leave my workstation unlocked when I left for lunch today. So now I'm hell-bent to figure out how it was done and who did it. I have an idea of who did it but I'm not positive. A team member. But I'd rather figure out how he did it as opposed to just throwing my hands up and saying "OK, who's been messing with my workstation?"
Here are the facts:
1. My workstation was locked.
2. I wasn't forcibly logged off, had somebody log on a different account, make the change, then logout and log me back on. I had about 8 IE windows open when I locked it before lunch and they were all there when I came back and unlocked it. My password has not been compromised.
3. My normal background is a JPG on my hard drive. The 'changed' background was the 'Internet Explorer Wallpaper'
4. It's possible that the person who did this has access to domain level administrator rights. I do not.
5. I am the local administrator to my workstation.
6. I did find the website the pictures were gotten from when I looked into my IE history.
7. My 'My Documents' folder is redirected to a network server.
8. I checked my security log. With the exception of SYSTEM and NETWORK SERVICES nobody accessed my workstation between the time I left for lunch and came back.
That's the pertinent facts as I can see them. I'm hoping sonebody can tell me how this was accomplished and how I can trace the userID that was used to do it.