Solved

Active Directory Built-in Administrator account

Posted on 2013-11-18
15
555 Views
Last Modified: 2013-11-21
Hi EE

Any idea why I would see the Event IDs below coming from the Built-in Administrator account on mutliple DCs ?

This account is not used and I only the password to it .
events.png
0
Comment
Question by:MilesLogan
15 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657409
HI,

What is the event you are seeing ? Can you please provide Event ID / description ?

Regards,
Ram
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657424
Hello .. these are the events .. I also attached them .

EventID      Event Name
528      Successful Logon
538      User Logoff
576      Special privileges assigned to new logon successfully
552      Logon attempt using explicit credentials
537      Logon failure - The logon attempt failed for other reasons
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39657425
Have you got any services or scheduled jobs set-up that use it ?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 2

Author Comment

by:MilesLogan
ID: 39657431
Hi KCTS .. no to the question below .

" Have you got any services or scheduled jobs set-up that use it ?  "
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657462
Which user has this logs ? is it from SYSTEM user ?
DCs will not have local user account
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657474
This is for the built-in MyDomain\Administrator
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657501
Did you perform runas option ?or any application was started with admin privilege?
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657505
no action has been taken with that account ..
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657610
Is there any map drives created using this user. Also, you can clear the cached password from the  code mentioned in below link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_448-How-to-DELETE-Windows-Local-Domain-Cached-Credentials.html
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657633
No mapped drives , no services , nothing .. No one knows the password so why its so strange that we would see those events coming from that account on some of the DCs.
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 100 total points
ID: 39658365
Can you verify the Logon type

Open Event viewer and select the Event 528 and verify the more details from that Log

Based on the type of the Logon you will get more details, how the login was happened like network, interactive, service,unlock, remote, cached etc..
It will also have the detail of from which machine logon happened and you can drilled down more based on that.
Please refer below article to referring logon type and it's definition


http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=528&EvtSrc=Security

Regards,
Ram
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 100 total points
ID: 39658687
Is there any PID mentioned in that event log, if yes, you can check in task manager to match with the processes running on that server.
0
 
LVL 19

Assisted Solution

by:compdigit44
compdigit44 earned 100 total points
ID: 39661099
1) Try to download and install ProcMon to track down any process or services running under the context of this user.

2) Do you have any type of account auditing enable on your DC's? If not you should enable it until you are able to track down the source of these events.

3) Do you have any scheduled task running under the admin account?
0
 
LVL 9

Accepted Solution

by:
Zenvenky earned 200 total points
ID: 39665917
All the above event IDs that you've mentioned appears when AD Auditing is enabled. Please check the same in any group policies and local group policy as well.
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39667143
Thank you all for the great info .. I will work with these ideas and post back .
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question