SBS 2011 domain controller, 10 Windows 7 machines.
Everything was working fine last night when people went home.
This morning, no one could log in to their accounts on the workstations. After entering their creds, they got another login box that had the warning: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."
I disconnected the server from the network and now everyone can log in to their workstations with the cached credentials. They have internet and everything they need except what's on the server that I disconnected.
The terrifying bit is that the administrator password had changed. I couldn't log into the server. It said the username or password is incorrect. The only two people with admin access said they haven't changed the password and I'm inclined to believe them. For this reason I could only assume the server was compromised.
I used this guide to reset the admin account password (luckily the account name hadn't been changed): http://sysadmin.magnix.nl/?p=112
After regaining access to the admin account, it was acting a little flaky. Explorer kept crashing and I could only open certain utilities but not others. For instance, I could open computer properties but the management console would hang.
I created another admin account to test for a corrupt profile. When trying to login to the new account, it hangs while setting up the desktop and never gets there.
At this point, I'm inclined to think it's a hardware issue or corrupt profile. But what could have changed the admin password? My favorite option right now is to completely reload from last night's backup. If it's a hardware problem we'll find out pretty quickly. If it's a profile issue, that will hopefully fix it.
The only reason I'm concerned it might have been compromised is because of the changed admin password and the error users get when trying to authenticate with the server. There are very sensitive documents and SSL certs stored on this server so I'm being a little paranoid.
What other TSing steps would you suggest before I make the leap and reload?