Solved

Active Directory Built-in Administrator account

Posted on 2013-11-18
15
546 Views
Last Modified: 2013-11-21
Hi EE

Any idea why I would see the Event IDs below coming from the Built-in Administrator account on mutliple DCs ?

This account is not used and I only the password to it .
events.png
0
Comment
Question by:MilesLogan
15 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657409
HI,

What is the event you are seeing ? Can you please provide Event ID / description ?

Regards,
Ram
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657424
Hello .. these are the events .. I also attached them .

EventID      Event Name
528      Successful Logon
538      User Logoff
576      Special privileges assigned to new logon successfully
552      Logon attempt using explicit credentials
537      Logon failure - The logon attempt failed for other reasons
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39657425
Have you got any services or scheduled jobs set-up that use it ?
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657431
Hi KCTS .. no to the question below .

" Have you got any services or scheduled jobs set-up that use it ?  "
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657462
Which user has this logs ? is it from SYSTEM user ?
DCs will not have local user account
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657474
This is for the built-in MyDomain\Administrator
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657501
Did you perform runas option ?or any application was started with admin privilege?
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657505
no action has been taken with that account ..
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657610
Is there any map drives created using this user. Also, you can clear the cached password from the  code mentioned in below link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_448-How-to-DELETE-Windows-Local-Domain-Cached-Credentials.html
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657633
No mapped drives , no services , nothing .. No one knows the password so why its so strange that we would see those events coming from that account on some of the DCs.
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 100 total points
ID: 39658365
Can you verify the Logon type

Open Event viewer and select the Event 528 and verify the more details from that Log

Based on the type of the Logon you will get more details, how the login was happened like network, interactive, service,unlock, remote, cached etc..
It will also have the detail of from which machine logon happened and you can drilled down more based on that.
Please refer below article to referring logon type and it's definition


http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=528&EvtSrc=Security

Regards,
Ram
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 100 total points
ID: 39658687
Is there any PID mentioned in that event log, if yes, you can check in task manager to match with the processes running on that server.
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 100 total points
ID: 39661099
1) Try to download and install ProcMon to track down any process or services running under the context of this user.

2) Do you have any type of account auditing enable on your DC's? If not you should enable it until you are able to track down the source of these events.

3) Do you have any scheduled task running under the admin account?
0
 
LVL 9

Accepted Solution

by:
Zenvenky earned 200 total points
ID: 39665917
All the above event IDs that you've mentioned appears when AD Auditing is enabled. Please check the same in any group policies and local group policy as well.
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39667143
Thank you all for the great info .. I will work with these ideas and post back .
0

Join & Write a Comment

A procedure for exporting installed hotfix details of remote computers using powershell
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now