Determine details surrounding rogue account creation

I see that someone created a new Active Directory account at 2am last night, suspiciously named "Admin." How can I learn details relating to this event? I'd like to know:

a) What user account was used to create the account
b) What machine it was created from
c) Whether or not this new account has actually been used

My server is Windows 2000 Server with service pack 4.
LVL 11
stevengraffAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sk_raja_rajaCommented:
Your best option is to go to the security event log on the DC and check for events at that time...you should be able to find the user who created the new account in the security event log.....

Also right click the newly created user account,object info and this will show you the created time
0
stevengraffAuthor Commented:
At 2:08:46 I get all three of the following, under category Account Management:

User Account password set:
     Target Account Name:    admin
     Target Domain:    PEDOMAIN
     Target Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
 

User Account Changed:
     Account Enabled.  
    'Password Not Required' - Disabled
     Target Account Name:    admin
     Target Domain:    PEDOMAIN
     Target Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -


User Account Created:
     New Account Name:    admin
     New Domain:    PEDOMAIN
     New Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
     Privileges        -


Is it significant that the Caller User Name is actually the machine name of my DC?
0
ChiefITCommented:
There is enhanced AD account information that you can provide yourself:
http://www.petri.co.il/add_user_account_information_to_dsa.htm

What I would do is look at the SID of this using the enhance AD account info and determine if your DC was trying to be backwards compatible with a program that uses NTLMhash authentication.

To determine this, you would get a short SID.

Also, for security reasons, Download Hijack this and post the results on this web site for analizing processes that may be running under an NTLMhash or LMhash authenication protocol. Viruses often don't try to use Kerberos SIDs to run because of how hard kerberos is to hack:

http://www.hijackthis.de/index.php?langselect=english#anl
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

stevengraffAuthor Commented:
ChiefIT,

I cannot get this to work, though I have tried on both a Windows Server 2003 machine (which is not the dc, but does have AD on it) and the DC, which is actually a Win2K Server box (so I shouldn't expect it to work?)

 regsvr32 %systemroot%\system32\acctinfo.dll

I keep getting "LoadLibrary("c:\windows\system32\acctinfo.dll") failed - The specified module could not be found."
0
stevengraffAuthor Commented:
Actually, I see now that this may not be supported in a 64-bit environment. Is there an equivalent for use on 64-bit? or for use on the Win2K server?
0
ChiefITCommented:
Terribly sorry about the slow response> Had a lot of fires to take care of.

64 bit 2000 server, I don't think there is advanced AD information available.

Since Uernames are not really related to IP address. This is probably as good as you get for trying to locate the user's machine:
http://www.experts-exchange.com/Networking/Misc/Q_21416099.html?sfQueryTermInfo=1+2003+ip+list+user

Pete makes mention of a favorite tool of mine. It is called ANGRYIPSCAN, not angey Ip Scan. This might tell you who is logged onto the machine.

0
stevengraffAuthor Commented:
I'll try that, thanks.

btw, this "rogue acct creation" seems to happen occasionally, i.e. a couple times per month or so. Different user name each time, usually a name that's not otherwise suspicious, like MSSQL, etc.  No one uses the machine interactively. Someone suggested it could be a virus.


0
ChiefITCommented:
That is definately something to look into.
0
ChiefITCommented:
be careful when deleting these users. Some of them sound like they could be built in accounts.

There is one called TS_interentuser, that is a built in account for terminal services. There is also a built in administrator account. And without looking, I believe there is a MSSQL account for WSUS and other Sequal based programs.
0
stevengraffAuthor Commented:
Thanks -- I think that that's part of the bogey's plan -- creating user accounts that sound like they could be real!!!
0
ChiefITCommented:
Well, if I were a hacker, that is the way I would do it.
0
stevengraffAuthor Commented:
Thanks, though solution doesn't apply to Win2K environment.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.