Administrator password keeps getting changed on reboot

Posted on 2011-10-10
Last Modified: 2012-08-14
Fresh install of a Windows Server 2008 R2 Standard server. The only things I've done are to add the computer to the domain and installed Windows updates. I've noticed that every time the server reboots, the local administrator password is changed to something that I don't know. I have to log on as another domain user and run gpupdate /force, and then the password returns to what it should be (it's set in Group Policy). On reboot, it changes back again.

I've noticed this in the event log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/10/2011 2:21:14 PM
Event ID:      4738
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
A user account was changed.

 Security ID:  SYSTEM
 Account Name:  TF2SERV$
 Account Domain:  MTCHS
 Logon ID:  0x3e7

Target Account:
 Security ID:  TF2SERV\Administrator
 Account Name:  Administrator
 Account Domain:  TF2SERV

Changed Attributes:
 SAM Account Name: Administrator
 Display Name:  <value not set>
 User Principal Name: -
 Home Directory:  <value not set>
 Home Drive:  <value not set>
 Script Path:  <value not set>
 Profile Path:  <value not set>
 User Workstations: <value not set>
 Password Last Set: 10/10/2011 2:21:14 PM
 Account Expires:  <never>
 Primary Group ID: 513
 AllowedToDelegateTo: -
 Old UAC Value:  0x210
 New UAC Value:  0x210
 User Account Control: -
 User Parameters: -
 SID History:  -
 Logon Hours:  All

Additional Information:
 Privileges:  -

Open in new window

This is weird, I've never seen anything like this before. I can't think of any reason the password would just be changing like that. It's also happening on another, much older server, although neither of them are critical.
Question by:mtchs
    LVL 11

    Accepted Solution

    Please check your Security policy, you have something setup in either Default Domain Policy or somewhere to set the password. This policy is coming in effect when you restart the computer or you let group policy reach its cycle.

    You can isolate to check this by putting computer in a separate OU & blocking inheritance.

    Author Closing Comment

    It turned out that there was a startup script changing the password that a previous admin put there. Removed the script and set the password via another group policy setting.

    Featured Post

    Promote certifications in your email signature

    Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

    Join & Write a Comment

    Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now