Two days ago we found on one of my clients networks, that the Domain administrator password had been changed. After reviewing who knows the admin password (very few people) and asking them if they may have logged in and inadvertently changed it, we've come to a dead end. We'd like to find out HOW we can determine when and from where it was changed. We know, from our security logs, about when it occurred, due to authentication failures coming from our barracuda spam firewall, but we need more info.
Is anyone familliar with software or utilites that might allow us to find out how this happenned, and from what workstation or source?