Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 272
  • Last Modified:

Windows XP Login Anomoly

Hello,

Noted a strange incident on a network last week.  Several users noted that their computers restarted and when the systems rebooted, the username showed the "Administrator" account instead of their default user name.  I suspect hacking but am curious if perhaps a new windows update or SR or something might have caused this.

The workstations are running Windows XP SR3 and they are part of a windows 2003 domain.
0
SRC-S1
Asked:
SRC-S1
  • 2
  • 2
  • 2
  • +1
1 Solution
 
Neal58Commented:
Has anyone been logging in as admin on these pcs? check the event logs on a couple to see who's logged in and it may be worth securing your administrator login!
0
 
SRC-S1Author Commented:
Hey Neal58,

Great thought but I am told that the administrator, neither the admin account, is sued on these workstations. According to in-house IT, at around the same time, three workstations restrated and when they came back up the administrator account was in the username....this typically only shows when the administrator account, either locally or via RDP, was so logged on.

Quite strange for sure.
0
 
xeroxzeroxCommented:
Have u check the all user name in server.what it is showing on server.
Are all the users name on server are the same or replaced too ?

Are user able to login his user name in system or not? if no! what error occured?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Fred MarshallPrincipalCommented:
Well, first it sounds like the login setup on those computers is the Classic Logon screen that has a blank for the user and a blank for the password.  Is that right?

Then, this screen comes up with the last username in the first blank.

I wonder if there wasn't an upgrade or change pushed from the server that required a logon?  If this happened, and particularly if it was automated, then maybe nobody knows?  Or possibly a Windows update?  

If the Administrator account "is not used" then it's also very possible that the Administrator password is [blank].  If that's the case then it would be easier for system-level push administration operations.  And, *that* may be somewhat transparent to the system administrators.

I do think it's relatively safe to say or surmise that an Administrator logon did happen on those computers.
0
 
SRC-S1Author Commented:
Thanks all...so far still hoping for a reasonable explanation....

I am assured that the domain administartor account has not logged in to these computers in some time (months).  Further, as windows only shows the last successful logged on user in the username field, this indiactes that the domain administrator account was involved here.

Also, the domain administrator account does NOT have a blank password.

Further, one would expect to see this anomoly if, perhaps, the domain administartor account was successfully connected via RDP and a froced shutdown or restart was done, wherein the domain administrator would in fact be the last successful login.  Combined with the fact that the computers restarted, does sound to be along the lines of hacking and vandalism or annoyance to say the least.

Am hoping for alternate explanations such as perhaps a very recent widnows update might demoinstarte such a symptom...not seeing it for any otehr clients which makes that very unlikely.

Again, appreciate the wisdom and feedback in this source and hopeful that someone might have more thoughts.
0
 
Neal58Commented:
does the local pc have the administrator account enabled? are you sure it was trying the domain admin?

windows updates wont make it login as the admin account.

yes, if the domain admin had connected via rdp (or even another screen sharing software that allowed login/out reboot ability like teamviewer or vnc) it will show here if a successful login happened

The only way for that admin account to be in the user name box is if there was a successful login by the domain admin user. So whoever or however it was done may be moot as it is still likely that someone has logged in with that account on that pc
0
 
Fred MarshallPrincipalCommented:
There are some things you can do as a check:

Log in as Administrator at each affected computer.
This login will confirm the password for Administrator.
If it's not changed then that's at least something.
Then change it.

Is RDP enabled?

Passwords are fairly easy to hack unless they are complex.  That's why there are password "scores" on some interfaces.  I like to use a combination of numerals (10) and letters (26) and upper/lower case mixed liberally (taking 26 to 52) and then you can add special characters in some interfaces for more.  Even this way there are 62 characters possible so you get N**62 possibilities which is too huge to search through in a lifetime.
See: www.passwordmeter.com or similar site to learn more and to try things.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now