Domain Controller Time Keeps Changing

The time on 1 of my domain controller's has been changed twice in the past 4 days.  Someone or something is changing it and I need to figure this out.  The first time I did not grab the log of when the system time was changed.  This second time I did.  It looks like it came from our domain admin account Administrator using the process net1.exe.  I want to know how to better interpret this log and if I can find out what machine/ip address this time change occured:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      520
Date:            4/2/2009
Time:            11:58:01 AM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
The system time was changed.
 Process ID:            6956
 Process Name:            C:\WINNT\system32\net1.exe
 Primary User Name:      administrator
 Primary Domain:            ARCGROUP
 Primary Logon ID:            (0x0,0xAF66F1BA)
 Client User Name:            administrator
 Client Domain:            ARCGROUP
 Client Logon ID:            (0x0,0xAF66F1BA)
 Previous Time:            12:29:22 PM 4/2/2009
 New Time:            11:58:01 AM 4/2/2009

For more information, see Help and Support Center at

Your help is very much appreciated
Who is Participating?
GigiJKConnect With a Mentor Author Commented:
we found out that a user logon script was syncing the time with an old server that had the wrong time.  once removed, the time stopped changed
Is this a Windows 2000 server, or do you have a Windows 2000 server that is a domain controller?
Mike KlineCommented:
Scan that box for any malware, just make sure nothing is on that box that is using net1.exe for bad purposes.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

GigiJKAuthor Commented:
it is server 2003.  i have scanned for malware.  no luck.

strange this is, no really ever uses the administrator password.  we manage our domain with other accounts.  only a limited amount of people know what password is for administrator.

is this definitely saying that someone used the account Administrator and changed the time with the net1.exe process?
GigiJKAuthor Commented:
hm, alright so I found out who logged on at that time.  we did a test and next time he logged in the time got changed again:
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            4/2/2009
Time:            12:29:14 PM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Successful Logon:
       User Name:      administrator
       Domain:            ARCGROUP
       Logon ID:            (0x0,0xAF66F1BA)
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      ARCDATA
       Logon GUID:      {034784ce-8d67-d8a3-bcdf-88ffe3d61840}
       Caller User Name:      ARCDATA$
       Caller Domain:      ARCGROUP
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 3368
       Transited Services: -
       Source Network Address:
       Source Port:      51887

For more information, see Help and Support Center at
GigiJKAuthor Commented:
we are scanning his machine now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.