Solved

Active Directory Built-in Administrator account

Posted on 2013-11-18
15
561 Views
Last Modified: 2013-11-21
Hi EE

Any idea why I would see the Event IDs below coming from the Built-in Administrator account on mutliple DCs ?

This account is not used and I only the password to it .
events.png
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657409
HI,

What is the event you are seeing ? Can you please provide Event ID / description ?

Regards,
Ram
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657424
Hello .. these are the events .. I also attached them .

EventID      Event Name
528      Successful Logon
538      User Logoff
576      Special privileges assigned to new logon successfully
552      Logon attempt using explicit credentials
537      Logon failure - The logon attempt failed for other reasons
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39657425
Have you got any services or scheduled jobs set-up that use it ?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Author Comment

by:MilesLogan
ID: 39657431
Hi KCTS .. no to the question below .

" Have you got any services or scheduled jobs set-up that use it ?  "
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657462
Which user has this logs ? is it from SYSTEM user ?
DCs will not have local user account
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657474
This is for the built-in MyDomain\Administrator
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657501
Did you perform runas option ?or any application was started with admin privilege?
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657505
no action has been taken with that account ..
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657610
Is there any map drives created using this user. Also, you can clear the cached password from the  code mentioned in below link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_448-How-to-DELETE-Windows-Local-Domain-Cached-Credentials.html
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657633
No mapped drives , no services , nothing .. No one knows the password so why its so strange that we would see those events coming from that account on some of the DCs.
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 100 total points
ID: 39658365
Can you verify the Logon type

Open Event viewer and select the Event 528 and verify the more details from that Log

Based on the type of the Logon you will get more details, how the login was happened like network, interactive, service,unlock, remote, cached etc..
It will also have the detail of from which machine logon happened and you can drilled down more based on that.
Please refer below article to referring logon type and it's definition


http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=528&EvtSrc=Security

Regards,
Ram
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 100 total points
ID: 39658687
Is there any PID mentioned in that event log, if yes, you can check in task manager to match with the processes running on that server.
0
 
LVL 20

Assisted Solution

by:compdigit44
compdigit44 earned 100 total points
ID: 39661099
1) Try to download and install ProcMon to track down any process or services running under the context of this user.

2) Do you have any type of account auditing enable on your DC's? If not you should enable it until you are able to track down the source of these events.

3) Do you have any scheduled task running under the admin account?
0
 
LVL 9

Accepted Solution

by:
Zenvenky earned 200 total points
ID: 39665917
All the above event IDs that you've mentioned appears when AD Auditing is enabled. Please check the same in any group policies and local group policy as well.
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39667143
Thank you all for the great info .. I will work with these ideas and post back .
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADFS trust for Skype 4 29
Unable to access folder shares on Netapp 1 26
Active Directory Disappeared 2 55
Azure AD / OAUTH 2 46
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question