Solved

Windows Server 2008 R2 password and account issues

Posted on 2013-05-12
3
433 Views
Last Modified: 2013-05-28
Hi all, i have potentially a serious problem. i have recently installed a new server and setup remote desktop services for all the users. Only myself and 2 other usernames were administrator privileges, i got a call from on the staff members saying the password is not accepted and to ask if i changed it. I have since found all administrator account passwords are not working, some usernames are not even listed anymore in computer management and there are 2 more accounts setup as administrator access. These are called MicrosoftTM and Systems.

Can anybody please help me, is there a way to retreive the passwords, or perhaps restart the server with standard user access incase its just needs a reboot, or is it more serious and someone has gotten into the system and stuffed around with the settings.

I had a look through event viewer but could not see any logs that mention password changed or anything like that.
0
Comment
Question by:cybertechcomputers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 25

Accepted Solution

by:
Tony Johncock earned 500 total points
ID: 39160910
On the face of it, someone or something has compromised your systems.

It isn't uncommon for people to name an account something that would, at a casual glance, pass for a system or Microsoft account.

System / Sysetms - very close. There is no inbuilt account call Systems or MicrosoftTM.

Is the problem Domain-Wide?

If so, you may be better off isolating the RDS box (was this internet facing? Do you know for sure it was the attack platform?).

I would look to get hold of a boot-CD that can change the password on that machine and then trawl the logs to see if you can determine who, why and when it was changed.

If it's domain wide you will need to restore AD I'm afraid - I would do it in parallel with the above.

Do you have strong password policies in place? Many attack vectors for RDS on internet facing servers look for weak passwords on port 3389.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39161034
Were any new group policies applied after your Server was put into production?
Even a simple task like moving a computer from existing OU or Computers container to another OU could result in new Group Policies being applied.

If you have local accounts then the restrited accounts policy could remove the other accounts.

Run:
gpresult /h gpresult.html
or
rsop.msc
to see the Group policy settings that are being applied to that computer.
0
 

Author Closing Comment

by:cybertechcomputers
ID: 39203640
Thank you for the replies, indeed it was some spyware junk on the server. I managed to reset the admin password and get back into the server. however it had continual virus related issues so in the end I had to reformat and start again. Fingers crossed it doesn't come back.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Both MMF (multi-mode fiber) and SMF (single-mode fiber) are types of optical fiber that can aid in communication applications. These thin strands of silica or glass will allow communication to occur between devices. The transmission of light between…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question