Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Windows Server 2008 R2 password and account issues

Posted on 2013-05-12
3
432 Views
Last Modified: 2013-05-28
Hi all, i have potentially a serious problem. i have recently installed a new server and setup remote desktop services for all the users. Only myself and 2 other usernames were administrator privileges, i got a call from on the staff members saying the password is not accepted and to ask if i changed it. I have since found all administrator account passwords are not working, some usernames are not even listed anymore in computer management and there are 2 more accounts setup as administrator access. These are called MicrosoftTM and Systems.

Can anybody please help me, is there a way to retreive the passwords, or perhaps restart the server with standard user access incase its just needs a reboot, or is it more serious and someone has gotten into the system and stuffed around with the settings.

I had a look through event viewer but could not see any logs that mention password changed or anything like that.
0
Comment
Question by:cybertechcomputers
3 Comments
 
LVL 25

Accepted Solution

by:
Tony Johncock earned 500 total points
ID: 39160910
On the face of it, someone or something has compromised your systems.

It isn't uncommon for people to name an account something that would, at a casual glance, pass for a system or Microsoft account.

System / Sysetms - very close. There is no inbuilt account call Systems or MicrosoftTM.

Is the problem Domain-Wide?

If so, you may be better off isolating the RDS box (was this internet facing? Do you know for sure it was the attack platform?).

I would look to get hold of a boot-CD that can change the password on that machine and then trawl the logs to see if you can determine who, why and when it was changed.

If it's domain wide you will need to restore AD I'm afraid - I would do it in parallel with the above.

Do you have strong password policies in place? Many attack vectors for RDS on internet facing servers look for weak passwords on port 3389.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39161034
Were any new group policies applied after your Server was put into production?
Even a simple task like moving a computer from existing OU or Computers container to another OU could result in new Group Policies being applied.

If you have local accounts then the restrited accounts policy could remove the other accounts.

Run:
gpresult /h gpresult.html
or
rsop.msc
to see the Group policy settings that are being applied to that computer.
0
 

Author Closing Comment

by:cybertechcomputers
ID: 39203640
Thank you for the replies, indeed it was some spyware junk on the server. I managed to reset the admin password and get back into the server. however it had continual virus related issues so in the end I had to reformat and start again. Fingers crossed it doesn't come back.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
Learn how ViaSat reduced average response times for IT incidents from 10 minutes to 30 seconds.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question