Windows XP Login Anomoly

Hello,

Noted a strange incident on a network last week.  Several users noted that their computers restarted and when the systems rebooted, the username showed the "Administrator" account instead of their default user name.  I suspect hacking but am curious if perhaps a new windows update or SR or something might have caused this.

The workstations are running Windows XP SR3 and they are part of a windows 2003 domain.
LVL 1
SRC-S1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neal58Commented:
Has anyone been logging in as admin on these pcs? check the event logs on a couple to see who's logged in and it may be worth securing your administrator login!
0
SRC-S1Author Commented:
Hey Neal58,

Great thought but I am told that the administrator, neither the admin account, is sued on these workstations. According to in-house IT, at around the same time, three workstations restrated and when they came back up the administrator account was in the username....this typically only shows when the administrator account, either locally or via RDP, was so logged on.

Quite strange for sure.
0
Zerox HoopLinux AdminCommented:
Have u check the all user name in server.what it is showing on server.
Are all the users name on server are the same or replaced too ?

Are user able to login his user name in system or not? if no! what error occured?
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Fred MarshallPrincipalCommented:
Well, first it sounds like the login setup on those computers is the Classic Logon screen that has a blank for the user and a blank for the password.  Is that right?

Then, this screen comes up with the last username in the first blank.

I wonder if there wasn't an upgrade or change pushed from the server that required a logon?  If this happened, and particularly if it was automated, then maybe nobody knows?  Or possibly a Windows update?  

If the Administrator account "is not used" then it's also very possible that the Administrator password is [blank].  If that's the case then it would be easier for system-level push administration operations.  And, *that* may be somewhat transparent to the system administrators.

I do think it's relatively safe to say or surmise that an Administrator logon did happen on those computers.
0
SRC-S1Author Commented:
Thanks all...so far still hoping for a reasonable explanation....

I am assured that the domain administartor account has not logged in to these computers in some time (months).  Further, as windows only shows the last successful logged on user in the username field, this indiactes that the domain administrator account was involved here.

Also, the domain administrator account does NOT have a blank password.

Further, one would expect to see this anomoly if, perhaps, the domain administartor account was successfully connected via RDP and a froced shutdown or restart was done, wherein the domain administrator would in fact be the last successful login.  Combined with the fact that the computers restarted, does sound to be along the lines of hacking and vandalism or annoyance to say the least.

Am hoping for alternate explanations such as perhaps a very recent widnows update might demoinstarte such a symptom...not seeing it for any otehr clients which makes that very unlikely.

Again, appreciate the wisdom and feedback in this source and hopeful that someone might have more thoughts.
0
Neal58Commented:
does the local pc have the administrator account enabled? are you sure it was trying the domain admin?

windows updates wont make it login as the admin account.

yes, if the domain admin had connected via rdp (or even another screen sharing software that allowed login/out reboot ability like teamviewer or vnc) it will show here if a successful login happened

The only way for that admin account to be in the user name box is if there was a successful login by the domain admin user. So whoever or however it was done may be moot as it is still likely that someone has logged in with that account on that pc
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalCommented:
There are some things you can do as a check:

Log in as Administrator at each affected computer.
This login will confirm the password for Administrator.
If it's not changed then that's at least something.
Then change it.

Is RDP enabled?

Passwords are fairly easy to hack unless they are complex.  That's why there are password "scores" on some interfaces.  I like to use a combination of numerals (10) and letters (26) and upper/lower case mixed liberally (taking 26 to 52) and then you can add special characters in some interfaces for more.  Even this way there are 62 characters possible so you get N**62 possibilities which is too huge to search through in a lifetime.
See: www.passwordmeter.com or similar site to learn more and to try things.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.