Solved

Domain Controller Time Keeps Changing

Posted on 2009-04-02
6
1,815 Views
Last Modified: 2012-05-06
The time on 1 of my domain controller's has been changed twice in the past 4 days.  Someone or something is changing it and I need to figure this out.  The first time I did not grab the log of when the system time was changed.  This second time I did.  It looks like it came from our domain admin account Administrator using the process net1.exe.  I want to know how to better interpret this log and if I can find out what machine/ip address this time change occured:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      520
Date:            4/2/2009
Time:            11:58:01 AM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Description:
The system time was changed.
 Process ID:            6956
 Process Name:            C:\WINNT\system32\net1.exe
 Primary User Name:      administrator
 Primary Domain:            ARCGROUP
 Primary Logon ID:            (0x0,0xAF66F1BA)
 Client User Name:            administrator
 Client Domain:            ARCGROUP
 Client Logon ID:            (0x0,0xAF66F1BA)
 Previous Time:            12:29:22 PM 4/2/2009
 New Time:            11:58:01 AM 4/2/2009


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Your help is very much appreciated
0
Comment
Question by:GigiJK
  • 4
6 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24052904
Is this a Windows 2000 server, or do you have a Windows 2000 server that is a domain controller?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24052943
Scan that box for any malware, just make sure nothing is on that box that is using net1.exe for bad purposes.
0
 

Author Comment

by:GigiJK
ID: 24053087
it is server 2003.  i have scanned for malware.  no luck.

strange this is, no really ever uses the administrator password.  we manage our domain with other accounts.  only a limited amount of people know what password is for administrator.


is this definitely saying that someone used the account Administrator and changed the time with the net1.exe process?
0
 

Author Comment

by:GigiJK
ID: 24053370
hm, alright so I found out who logged on at that time.  we did a test and next time he logged in the time got changed again:
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            4/2/2009
Time:            12:29:14 PM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Description:
Successful Logon:
       User Name:      administrator
       Domain:            ARCGROUP
       Logon ID:            (0x0,0xAF66F1BA)
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      ARCDATA
       Logon GUID:      {034784ce-8d67-d8a3-bcdf-88ffe3d61840}
       Caller User Name:      ARCDATA$
       Caller Domain:      ARCGROUP
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 3368
       Transited Services: -
       Source Network Address:      10.1.1.51
       Source Port:      51887


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:GigiJK
ID: 24053372
we are scanning his machine now.
0
 

Accepted Solution

by:
GigiJK earned 0 total points
ID: 24111572
we found out that a user logon script was syncing the time with an old server that had the wrong time.  once removed, the time stopped changed
0

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now