asked on Active Directory Built-in Administrator account
Hi EE
Any idea why I would see the Event IDs below coming from the Built-in Administrator account on mutliple DCs ?
This account is not used and I only the password to it .
events.png
Any idea why I would see the Event IDs below coming from the Built-in Administrator account on mutliple DCs ?
This account is not used and I only the password to it .
events.png
Active DirectoryWindows Server 2003Windows Server 2008
Last Comment
MilesLogan
ASKER
Hello .. these are the events .. I also attached them .
EventID Event Name
528 Successful Logon
538 User Logoff
576 Special privileges assigned to new logon successfully
552 Logon attempt using explicit credentials
537 Logon failure - The logon attempt failed for other reasons
EventID Event Name
528 Successful Logon
538 User Logoff
576 Special privileges assigned to new logon successfully
552 Logon attempt using explicit credentials
537 Logon failure - The logon attempt failed for other reasons
Have you got any services or scheduled jobs set-up that use it ?
ASKER
Hi KCTS .. no to the question below .
" Have you got any services or scheduled jobs set-up that use it ? "
" Have you got any services or scheduled jobs set-up that use it ? "
Which user has this logs ? is it from SYSTEM user ?
DCs will not have local user account
DCs will not have local user account
ASKER
This is for the built-in MyDomain\Administrator
Did you perform runas option ?or any application was started with admin privilege?
ASKER
no action has been taken with that account ..
Is there any map drives created using this user. Also, you can clear the cached password from the code mentioned in below link
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_448-How-to-DELETE-Windows-Local-Domain-Cached-Credentials.html
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_448-How-to-DELETE-Windows-Local-Domain-Cached-Credentials.html
ASKER
No mapped drives , no services , nothing .. No one knows the password so why its so strange that we would see those events coming from that account on some of the DCs.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you all for the great info .. I will work with these ideas and post back .
What is the event you are seeing ? Can you please provide Event ID / description ?
Regards,
Ram