Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Windows Server 2008 R2 password and account issues

Posted on 2013-05-12
3
Medium Priority
?
439 Views
Last Modified: 2013-05-28
Hi all, i have potentially a serious problem. i have recently installed a new server and setup remote desktop services for all the users. Only myself and 2 other usernames were administrator privileges, i got a call from on the staff members saying the password is not accepted and to ask if i changed it. I have since found all administrator account passwords are not working, some usernames are not even listed anymore in computer management and there are 2 more accounts setup as administrator access. These are called MicrosoftTM and Systems.

Can anybody please help me, is there a way to retreive the passwords, or perhaps restart the server with standard user access incase its just needs a reboot, or is it more serious and someone has gotten into the system and stuffed around with the settings.

I had a look through event viewer but could not see any logs that mention password changed or anything like that.
0
Comment
Question by:cybertechcomputers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 26

Accepted Solution

by:
Tony J earned 2000 total points
ID: 39160910
On the face of it, someone or something has compromised your systems.

It isn't uncommon for people to name an account something that would, at a casual glance, pass for a system or Microsoft account.

System / Sysetms - very close. There is no inbuilt account call Systems or MicrosoftTM.

Is the problem Domain-Wide?

If so, you may be better off isolating the RDS box (was this internet facing? Do you know for sure it was the attack platform?).

I would look to get hold of a boot-CD that can change the password on that machine and then trawl the logs to see if you can determine who, why and when it was changed.

If it's domain wide you will need to restore AD I'm afraid - I would do it in parallel with the above.

Do you have strong password policies in place? Many attack vectors for RDS on internet facing servers look for weak passwords on port 3389.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39161034
Were any new group policies applied after your Server was put into production?
Even a simple task like moving a computer from existing OU or Computers container to another OU could result in new Group Policies being applied.

If you have local accounts then the restrited accounts policy could remove the other accounts.

Run:
gpresult /h gpresult.html
or
rsop.msc
to see the Group policy settings that are being applied to that computer.
0
 

Author Closing Comment

by:cybertechcomputers
ID: 39203640
Thank you for the replies, indeed it was some spyware junk on the server. I managed to reset the admin password and get back into the server. however it had continual virus related issues so in the end I had to reformat and start again. Fingers crossed it doesn't come back.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The top devops trends for 2017 are focused on improved deployment frequency, decreased lead time for change and decreased MTTR.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question