[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Administrator password keeps getting changed on reboot

Posted on 2011-10-10
Medium Priority
Last Modified: 2012-08-14
Fresh install of a Windows Server 2008 R2 Standard server. The only things I've done are to add the computer to the domain and installed Windows updates. I've noticed that every time the server reboots, the local administrator password is changed to something that I don't know. I have to log on as another domain user and run gpupdate /force, and then the password returns to what it should be (it's set in Group Policy). On reboot, it changes back again.

I've noticed this in the event log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/10/2011 2:21:14 PM
Event ID:      4738
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      TF2Serv.mtchs.org
A user account was changed.

 Security ID:  SYSTEM
 Account Name:  TF2SERV$
 Account Domain:  MTCHS
 Logon ID:  0x3e7

Target Account:
 Security ID:  TF2SERV\Administrator
 Account Name:  Administrator
 Account Domain:  TF2SERV

Changed Attributes:
 SAM Account Name: Administrator
 Display Name:  <value not set>
 User Principal Name: -
 Home Directory:  <value not set>
 Home Drive:  <value not set>
 Script Path:  <value not set>
 Profile Path:  <value not set>
 User Workstations: <value not set>
 Password Last Set: 10/10/2011 2:21:14 PM
 Account Expires:  <never>
 Primary Group ID: 513
 AllowedToDelegateTo: -
 Old UAC Value:  0x210
 New UAC Value:  0x210
 User Account Control: -
 User Parameters: -
 SID History:  -
 Logon Hours:  All

Additional Information:
 Privileges:  -

Open in new window

This is weird, I've never seen anything like this before. I can't think of any reason the password would just be changing like that. It's also happening on another, much older server, although neither of them are critical.
Question by:mtchs
LVL 11

Accepted Solution

Ackles earned 1500 total points
ID: 36945452
Please check your Security policy, you have something setup in either Default Domain Policy or somewhere to set the password. This policy is coming in effect when you restart the computer or you let group policy reach its cycle.

You can isolate to check this by putting computer in a separate OU & blocking inheritance.

Author Closing Comment

ID: 36958610
It turned out that there was a startup script changing the password that a previous admin put there. Removed the script and set the password via another group policy setting.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question