SRC-S1
asked on
Windows XP Login Anomoly
Hello,
Noted a strange incident on a network last week. Several users noted that their computers restarted and when the systems rebooted, the username showed the "Administrator" account instead of their default user name. I suspect hacking but am curious if perhaps a new windows update or SR or something might have caused this.
The workstations are running Windows XP SR3 and they are part of a windows 2003 domain.
Noted a strange incident on a network last week. Several users noted that their computers restarted and when the systems rebooted, the username showed the "Administrator" account instead of their default user name. I suspect hacking but am curious if perhaps a new windows update or SR or something might have caused this.
The workstations are running Windows XP SR3 and they are part of a windows 2003 domain.
Neal58
Has anyone been logging in as admin on these pcs? check the event logs on a couple to see who's logged in and it may be worth securing your administrator login!
ASKER
Hey Neal58,
Great thought but I am told that the administrator, neither the admin account, is sued on these workstations. According to in-house IT, at around the same time, three workstations restrated and when they came back up the administrator account was in the username....this typically only shows when the administrator account, either locally or via RDP, was so logged on.
Quite strange for sure.
Great thought but I am told that the administrator, neither the admin account, is sued on these workstations. According to in-house IT, at around the same time, three workstations restrated and when they came back up the administrator account was in the username....this typically only shows when the administrator account, either locally or via RDP, was so logged on.
Quite strange for sure.
Have u check the all user name in server.what it is showing on server.
Are all the users name on server are the same or replaced too ?
Are user able to login his user name in system or not? if no! what error occured?
Are all the users name on server are the same or replaced too ?
Are user able to login his user name in system or not? if no! what error occured?
Well, first it sounds like the login setup on those computers is the Classic Logon screen that has a blank for the user and a blank for the password. Is that right?
Then, this screen comes up with the last username in the first blank.
I wonder if there wasn't an upgrade or change pushed from the server that required a logon? If this happened, and particularly if it was automated, then maybe nobody knows? Or possibly a Windows update?
If the Administrator account "is not used" then it's also very possible that the Administrator password is [blank]. If that's the case then it would be easier for system-level push administration operations. And, *that* may be somewhat transparent to the system administrators.
I do think it's relatively safe to say or surmise that an Administrator logon did happen on those computers.
Then, this screen comes up with the last username in the first blank.
I wonder if there wasn't an upgrade or change pushed from the server that required a logon? If this happened, and particularly if it was automated, then maybe nobody knows? Or possibly a Windows update?
If the Administrator account "is not used" then it's also very possible that the Administrator password is [blank]. If that's the case then it would be easier for system-level push administration operations. And, *that* may be somewhat transparent to the system administrators.
I do think it's relatively safe to say or surmise that an Administrator logon did happen on those computers.
ASKER
Thanks all...so far still hoping for a reasonable explanation....
I am assured that the domain administartor account has not logged in to these computers in some time (months). Further, as windows only shows the last successful logged on user in the username field, this indiactes that the domain administrator account was involved here.
Also, the domain administrator account does NOT have a blank password.
Further, one would expect to see this anomoly if, perhaps, the domain administartor account was successfully connected via RDP and a froced shutdown or restart was done, wherein the domain administrator would in fact be the last successful login. Combined with the fact that the computers restarted, does sound to be along the lines of hacking and vandalism or annoyance to say the least.
Am hoping for alternate explanations such as perhaps a very recent widnows update might demoinstarte such a symptom...not seeing it for any otehr clients which makes that very unlikely.
Again, appreciate the wisdom and feedback in this source and hopeful that someone might have more thoughts.
I am assured that the domain administartor account has not logged in to these computers in some time (months). Further, as windows only shows the last successful logged on user in the username field, this indiactes that the domain administrator account was involved here.
Also, the domain administrator account does NOT have a blank password.
Further, one would expect to see this anomoly if, perhaps, the domain administartor account was successfully connected via RDP and a froced shutdown or restart was done, wherein the domain administrator would in fact be the last successful login. Combined with the fact that the computers restarted, does sound to be along the lines of hacking and vandalism or annoyance to say the least.
Am hoping for alternate explanations such as perhaps a very recent widnows update might demoinstarte such a symptom...not seeing it for any otehr clients which makes that very unlikely.
Again, appreciate the wisdom and feedback in this source and hopeful that someone might have more thoughts.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are some things you can do as a check:
Log in as Administrator at each affected computer.
This login will confirm the password for Administrator.
If it's not changed then that's at least something.
Then change it.
Is RDP enabled?
Passwords are fairly easy to hack unless they are complex. That's why there are password "scores" on some interfaces. I like to use a combination of numerals (10) and letters (26) and upper/lower case mixed liberally (taking 26 to 52) and then you can add special characters in some interfaces for more. Even this way there are 62 characters possible so you get N**62 possibilities which is too huge to search through in a lifetime.
See: www.passwordmeter.com or similar site to learn more and to try things.
Log in as Administrator at each affected computer.
This login will confirm the password for Administrator.
If it's not changed then that's at least something.
Then change it.
Is RDP enabled?
Passwords are fairly easy to hack unless they are complex. That's why there are password "scores" on some interfaces. I like to use a combination of numerals (10) and letters (26) and upper/lower case mixed liberally (taking 26 to 52) and then you can add special characters in some interfaces for more. Even this way there are 62 characters possible so you get N**62 possibilities which is too huge to search through in a lifetime.
See: www.passwordmeter.com or similar site to learn more and to try things.