Administrator password keeps getting changed on reboot

Fresh install of a Windows Server 2008 R2 Standard server. The only things I've done are to add the computer to the domain and installed Windows updates. I've noticed that every time the server reboots, the local administrator password is changed to something that I don't know. I have to log on as another domain user and run gpupdate /force, and then the password returns to what it should be (it's set in Group Policy). On reboot, it changes back again.

I've noticed this in the event log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/10/2011 2:21:14 PM
Event ID:      4738
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      TF2Serv.mtchs.org
Description:
A user account was changed.

Subject:
 Security ID:  SYSTEM
 Account Name:  TF2SERV$
 Account Domain:  MTCHS
 Logon ID:  0x3e7

Target Account:
 Security ID:  TF2SERV\Administrator
 Account Name:  Administrator
 Account Domain:  TF2SERV

Changed Attributes:
 SAM Account Name: Administrator
 Display Name:  <value not set>
 User Principal Name: -
 Home Directory:  <value not set>
 Home Drive:  <value not set>
 Script Path:  <value not set>
 Profile Path:  <value not set>
 User Workstations: <value not set>
 Password Last Set: 10/10/2011 2:21:14 PM
 Account Expires:  <never>
 Primary Group ID: 513
 AllowedToDelegateTo: -
 Old UAC Value:  0x210
 New UAC Value:  0x210
 User Account Control: -
 User Parameters: -
 SID History:  -
 Logon Hours:  All

Additional Information:
 Privileges:  -

Open in new window


This is weird, I've never seen anything like this before. I can't think of any reason the password would just be changing like that. It's also happening on another, much older server, although neither of them are critical.
mtchsAsked:
Who is Participating?
 
AcklesConnect With a Mentor Commented:
Please check your Security policy, you have something setup in either Default Domain Policy or somewhere to set the password. This policy is coming in effect when you restart the computer or you let group policy reach its cycle.

You can isolate to check this by putting computer in a separate OU & blocking inheritance.
0
 
mtchsAuthor Commented:
It turned out that there was a startup script changing the password that a previous admin put there. Removed the script and set the password via another group policy setting.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.