Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain Controller Time Keeps Changing

Posted on 2009-04-02
6
Medium Priority
?
1,859 Views
Last Modified: 2012-05-06
The time on 1 of my domain controller's has been changed twice in the past 4 days.  Someone or something is changing it and I need to figure this out.  The first time I did not grab the log of when the system time was changed.  This second time I did.  It looks like it came from our domain admin account Administrator using the process net1.exe.  I want to know how to better interpret this log and if I can find out what machine/ip address this time change occured:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      520
Date:            4/2/2009
Time:            11:58:01 AM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Description:
The system time was changed.
 Process ID:            6956
 Process Name:            C:\WINNT\system32\net1.exe
 Primary User Name:      administrator
 Primary Domain:            ARCGROUP
 Primary Logon ID:            (0x0,0xAF66F1BA)
 Client User Name:            administrator
 Client Domain:            ARCGROUP
 Client Logon ID:            (0x0,0xAF66F1BA)
 Previous Time:            12:29:22 PM 4/2/2009
 New Time:            11:58:01 AM 4/2/2009


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Your help is very much appreciated
0
Comment
Question by:GigiJK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24052904
Is this a Windows 2000 server, or do you have a Windows 2000 server that is a domain controller?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24052943
Scan that box for any malware, just make sure nothing is on that box that is using net1.exe for bad purposes.
0
 

Author Comment

by:GigiJK
ID: 24053087
it is server 2003.  i have scanned for malware.  no luck.

strange this is, no really ever uses the administrator password.  we manage our domain with other accounts.  only a limited amount of people know what password is for administrator.


is this definitely saying that someone used the account Administrator and changed the time with the net1.exe process?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:GigiJK
ID: 24053370
hm, alright so I found out who logged on at that time.  we did a test and next time he logged in the time got changed again:
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            4/2/2009
Time:            12:29:14 PM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Description:
Successful Logon:
       User Name:      administrator
       Domain:            ARCGROUP
       Logon ID:            (0x0,0xAF66F1BA)
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      ARCDATA
       Logon GUID:      {034784ce-8d67-d8a3-bcdf-88ffe3d61840}
       Caller User Name:      ARCDATA$
       Caller Domain:      ARCGROUP
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 3368
       Transited Services: -
       Source Network Address:      10.1.1.51
       Source Port:      51887


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:GigiJK
ID: 24053372
we are scanning his machine now.
0
 

Accepted Solution

by:
GigiJK earned 0 total points
ID: 24111572
we found out that a user logon script was syncing the time with an old server that had the wrong time.  once removed, the time stopped changed
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question