Solved

Active Directory Built-in Administrator account

Posted on 2013-11-18
15
558 Views
Last Modified: 2013-11-21
Hi EE

Any idea why I would see the Event IDs below coming from the Built-in Administrator account on mutliple DCs ?

This account is not used and I only the password to it .
events.png
0
Comment
Question by:MilesLogan
15 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657409
HI,

What is the event you are seeing ? Can you please provide Event ID / description ?

Regards,
Ram
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657424
Hello .. these are the events .. I also attached them .

EventID      Event Name
528      Successful Logon
538      User Logoff
576      Special privileges assigned to new logon successfully
552      Logon attempt using explicit credentials
537      Logon failure - The logon attempt failed for other reasons
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39657425
Have you got any services or scheduled jobs set-up that use it ?
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 2

Author Comment

by:MilesLogan
ID: 39657431
Hi KCTS .. no to the question below .

" Have you got any services or scheduled jobs set-up that use it ?  "
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657462
Which user has this logs ? is it from SYSTEM user ?
DCs will not have local user account
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657474
This is for the built-in MyDomain\Administrator
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657501
Did you perform runas option ?or any application was started with admin privilege?
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657505
no action has been taken with that account ..
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657610
Is there any map drives created using this user. Also, you can clear the cached password from the  code mentioned in below link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_448-How-to-DELETE-Windows-Local-Domain-Cached-Credentials.html
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657633
No mapped drives , no services , nothing .. No one knows the password so why its so strange that we would see those events coming from that account on some of the DCs.
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 100 total points
ID: 39658365
Can you verify the Logon type

Open Event viewer and select the Event 528 and verify the more details from that Log

Based on the type of the Logon you will get more details, how the login was happened like network, interactive, service,unlock, remote, cached etc..
It will also have the detail of from which machine logon happened and you can drilled down more based on that.
Please refer below article to referring logon type and it's definition


http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=528&EvtSrc=Security

Regards,
Ram
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 100 total points
ID: 39658687
Is there any PID mentioned in that event log, if yes, you can check in task manager to match with the processes running on that server.
0
 
LVL 20

Assisted Solution

by:compdigit44
compdigit44 earned 100 total points
ID: 39661099
1) Try to download and install ProcMon to track down any process or services running under the context of this user.

2) Do you have any type of account auditing enable on your DC's? If not you should enable it until you are able to track down the source of these events.

3) Do you have any scheduled task running under the admin account?
0
 
LVL 9

Accepted Solution

by:
Zenvenky earned 200 total points
ID: 39665917
All the above event IDs that you've mentioned appears when AD Auditing is enabled. Please check the same in any group policies and local group policy as well.
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39667143
Thank you all for the great info .. I will work with these ideas and post back .
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question