Solved

Windows Server 2008 R2 password and account issues

Posted on 2013-05-12
3
429 Views
Last Modified: 2013-05-28
Hi all, i have potentially a serious problem. i have recently installed a new server and setup remote desktop services for all the users. Only myself and 2 other usernames were administrator privileges, i got a call from on the staff members saying the password is not accepted and to ask if i changed it. I have since found all administrator account passwords are not working, some usernames are not even listed anymore in computer management and there are 2 more accounts setup as administrator access. These are called MicrosoftTM and Systems.

Can anybody please help me, is there a way to retreive the passwords, or perhaps restart the server with standard user access incase its just needs a reboot, or is it more serious and someone has gotten into the system and stuffed around with the settings.

I had a look through event viewer but could not see any logs that mention password changed or anything like that.
0
Comment
Question by:cybertechcomputers
3 Comments
 
LVL 25

Accepted Solution

by:
Tony1044 earned 500 total points
Comment Utility
On the face of it, someone or something has compromised your systems.

It isn't uncommon for people to name an account something that would, at a casual glance, pass for a system or Microsoft account.

System / Sysetms - very close. There is no inbuilt account call Systems or MicrosoftTM.

Is the problem Domain-Wide?

If so, you may be better off isolating the RDS box (was this internet facing? Do you know for sure it was the attack platform?).

I would look to get hold of a boot-CD that can change the password on that machine and then trawl the logs to see if you can determine who, why and when it was changed.

If it's domain wide you will need to restore AD I'm afraid - I would do it in parallel with the above.

Do you have strong password policies in place? Many attack vectors for RDS on internet facing servers look for weak passwords on port 3389.
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
Were any new group policies applied after your Server was put into production?
Even a simple task like moving a computer from existing OU or Computers container to another OU could result in new Group Policies being applied.

If you have local accounts then the restrited accounts policy could remove the other accounts.

Run:
gpresult /h gpresult.html
or
rsop.msc
to see the Group policy settings that are being applied to that computer.
0
 

Author Closing Comment

by:cybertechcomputers
Comment Utility
Thank you for the replies, indeed it was some spyware junk on the server. I managed to reset the admin password and get back into the server. however it had continual virus related issues so in the end I had to reformat and start again. Fingers crossed it doesn't come back.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now