Solved

Domain Controller Time Keeps Changing

Posted on 2009-04-02
6
1,850 Views
Last Modified: 2012-05-06
The time on 1 of my domain controller's has been changed twice in the past 4 days.  Someone or something is changing it and I need to figure this out.  The first time I did not grab the log of when the system time was changed.  This second time I did.  It looks like it came from our domain admin account Administrator using the process net1.exe.  I want to know how to better interpret this log and if I can find out what machine/ip address this time change occured:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      520
Date:            4/2/2009
Time:            11:58:01 AM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Description:
The system time was changed.
 Process ID:            6956
 Process Name:            C:\WINNT\system32\net1.exe
 Primary User Name:      administrator
 Primary Domain:            ARCGROUP
 Primary Logon ID:            (0x0,0xAF66F1BA)
 Client User Name:            administrator
 Client Domain:            ARCGROUP
 Client Logon ID:            (0x0,0xAF66F1BA)
 Previous Time:            12:29:22 PM 4/2/2009
 New Time:            11:58:01 AM 4/2/2009


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Your help is very much appreciated
0
Comment
Question by:GigiJK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24052904
Is this a Windows 2000 server, or do you have a Windows 2000 server that is a domain controller?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24052943
Scan that box for any malware, just make sure nothing is on that box that is using net1.exe for bad purposes.
0
 

Author Comment

by:GigiJK
ID: 24053087
it is server 2003.  i have scanned for malware.  no luck.

strange this is, no really ever uses the administrator password.  we manage our domain with other accounts.  only a limited amount of people know what password is for administrator.


is this definitely saying that someone used the account Administrator and changed the time with the net1.exe process?
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 

Author Comment

by:GigiJK
ID: 24053370
hm, alright so I found out who logged on at that time.  we did a test and next time he logged in the time got changed again:
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            4/2/2009
Time:            12:29:14 PM
User:            ARCGROUP\Administrator
Computer:      ARCDATA
Description:
Successful Logon:
       User Name:      administrator
       Domain:            ARCGROUP
       Logon ID:            (0x0,0xAF66F1BA)
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      ARCDATA
       Logon GUID:      {034784ce-8d67-d8a3-bcdf-88ffe3d61840}
       Caller User Name:      ARCDATA$
       Caller Domain:      ARCGROUP
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 3368
       Transited Services: -
       Source Network Address:      10.1.1.51
       Source Port:      51887


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:GigiJK
ID: 24053372
we are scanning his machine now.
0
 

Accepted Solution

by:
GigiJK earned 0 total points
ID: 24111572
we found out that a user logon script was syncing the time with an old server that had the wrong time.  once removed, the time stopped changed
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question