• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1913
  • Last Modified:

Domain Controller Time Keeps Changing

The time on 1 of my domain controller's has been changed twice in the past 4 days.  Someone or something is changing it and I need to figure this out.  The first time I did not grab the log of when the system time was changed.  This second time I did.  It looks like it came from our domain admin account Administrator using the process net1.exe.  I want to know how to better interpret this log and if I can find out what machine/ip address this time change occured:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      520
Date:            4/2/2009
Time:            11:58:01 AM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Description:
The system time was changed.
 Process ID:            6956
 Process Name:            C:\WINNT\system32\net1.exe
 Primary User Name:      administrator
 Primary Domain:            ARCGROUP
 Primary Logon ID:            (0x0,0xAF66F1BA)
 Client User Name:            administrator
 Client Domain:            ARCGROUP
 Client Logon ID:            (0x0,0xAF66F1BA)
 Previous Time:            12:29:22 PM 4/2/2009
 New Time:            11:58:01 AM 4/2/2009


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Your help is very much appreciated
0
GigiJK
Asked:
GigiJK
  • 4
1 Solution
 
zelron22Commented:
Is this a Windows 2000 server, or do you have a Windows 2000 server that is a domain controller?
0
 
Mike KlineCommented:
Scan that box for any malware, just make sure nothing is on that box that is using net1.exe for bad purposes.
0
 
GigiJKAuthor Commented:
it is server 2003.  i have scanned for malware.  no luck.

strange this is, no really ever uses the administrator password.  we manage our domain with other accounts.  only a limited amount of people know what password is for administrator.


is this definitely saying that someone used the account Administrator and changed the time with the net1.exe process?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
GigiJKAuthor Commented:
hm, alright so I found out who logged on at that time.  we did a test and next time he logged in the time got changed again:
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            4/2/2009
Time:            12:29:14 PM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Description:
Successful Logon:
       User Name:      administrator
       Domain:            ARCGROUP
       Logon ID:            (0x0,0xAF66F1BA)
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      ARCDATA
       Logon GUID:      {034784ce-8d67-d8a3-bcdf-88ffe3d61840}
       Caller User Name:      ARCDATA$
       Caller Domain:      ARCGROUP
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 3368
       Transited Services: -
       Source Network Address:      10.1.1.51
       Source Port:      51887


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
GigiJKAuthor Commented:
we are scanning his machine now.
0
 
GigiJKAuthor Commented:
we found out that a user logon script was syncing the time with an old server that had the wrong time.  once removed, the time stopped changed
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now