• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 594
  • Last Modified:

Active Directory Built-in Administrator account

Hi EE

Any idea why I would see the Event IDs below coming from the Built-in Administrator account on mutliple DCs ?

This account is not used and I only the password to it .
events.png
0
MilesLogan
Asked:
MilesLogan
4 Solutions
 
Ram BalachandranCommented:
HI,

What is the event you are seeing ? Can you please provide Event ID / description ?

Regards,
Ram
0
 
MilesLoganAuthor Commented:
Hello .. these are the events .. I also attached them .

EventID      Event Name
528      Successful Logon
538      User Logoff
576      Special privileges assigned to new logon successfully
552      Logon attempt using explicit credentials
537      Logon failure - The logon attempt failed for other reasons
0
 
KCTSCommented:
Have you got any services or scheduled jobs set-up that use it ?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
MilesLoganAuthor Commented:
Hi KCTS .. no to the question below .

" Have you got any services or scheduled jobs set-up that use it ?  "
0
 
Ram BalachandranCommented:
Which user has this logs ? is it from SYSTEM user ?
DCs will not have local user account
0
 
MilesLoganAuthor Commented:
This is for the built-in MyDomain\Administrator
0
 
Ram BalachandranCommented:
Did you perform runas option ?or any application was started with admin privilege?
0
 
MilesLoganAuthor Commented:
no action has been taken with that account ..
0
 
Ram BalachandranCommented:
Is there any map drives created using this user. Also, you can clear the cached password from the  code mentioned in below link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_448-How-to-DELETE-Windows-Local-Domain-Cached-Credentials.html
0
 
MilesLoganAuthor Commented:
No mapped drives , no services , nothing .. No one knows the password so why its so strange that we would see those events coming from that account on some of the DCs.
0
 
Ram BalachandranCommented:
Can you verify the Logon type

Open Event viewer and select the Event 528 and verify the more details from that Log

Based on the type of the Logon you will get more details, how the login was happened like network, interactive, service,unlock, remote, cached etc..
It will also have the detail of from which machine logon happened and you can drilled down more based on that.
Please refer below article to referring logon type and it's definition


http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=528&EvtSrc=Security

Regards,
Ram
0
 
Pramod UbheCommented:
Is there any PID mentioned in that event log, if yes, you can check in task manager to match with the processes running on that server.
0
 
compdigit44Commented:
1) Try to download and install ProcMon to track down any process or services running under the context of this user.

2) Do you have any type of account auditing enable on your DC's? If not you should enable it until you are able to track down the source of these events.

3) Do you have any scheduled task running under the admin account?
0
 
ZenVenkyArchitectCommented:
All the above event IDs that you've mentioned appears when AD Auditing is enabled. Please check the same in any group policies and local group policy as well.
0
 
MilesLoganAuthor Commented:
Thank you all for the great info .. I will work with these ideas and post back .
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now