Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Active Directory Built-in Administrator account

Posted on 2013-11-18
15
Medium Priority
?
585 Views
Last Modified: 2013-11-21
Hi EE

Any idea why I would see the Event IDs below coming from the Built-in Administrator account on mutliple DCs ?

This account is not used and I only the password to it .
events.png
0
Comment
Question by:MilesLogan
15 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657409
HI,

What is the event you are seeing ? Can you please provide Event ID / description ?

Regards,
Ram
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657424
Hello .. these are the events .. I also attached them .

EventID      Event Name
528      Successful Logon
538      User Logoff
576      Special privileges assigned to new logon successfully
552      Logon attempt using explicit credentials
537      Logon failure - The logon attempt failed for other reasons
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39657425
Have you got any services or scheduled jobs set-up that use it ?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 2

Author Comment

by:MilesLogan
ID: 39657431
Hi KCTS .. no to the question below .

" Have you got any services or scheduled jobs set-up that use it ?  "
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657462
Which user has this logs ? is it from SYSTEM user ?
DCs will not have local user account
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657474
This is for the built-in MyDomain\Administrator
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657501
Did you perform runas option ?or any application was started with admin privilege?
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657505
no action has been taken with that account ..
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39657610
Is there any map drives created using this user. Also, you can clear the cached password from the  code mentioned in below link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/A_448-How-to-DELETE-Windows-Local-Domain-Cached-Credentials.html
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39657633
No mapped drives , no services , nothing .. No one knows the password so why its so strange that we would see those events coming from that account on some of the DCs.
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 400 total points
ID: 39658365
Can you verify the Logon type

Open Event viewer and select the Event 528 and verify the more details from that Log

Based on the type of the Logon you will get more details, how the login was happened like network, interactive, service,unlock, remote, cached etc..
It will also have the detail of from which machine logon happened and you can drilled down more based on that.
Please refer below article to referring logon type and it's definition


http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=528&EvtSrc=Security

Regards,
Ram
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 400 total points
ID: 39658687
Is there any PID mentioned in that event log, if yes, you can check in task manager to match with the processes running on that server.
0
 
LVL 20

Assisted Solution

by:compdigit44
compdigit44 earned 400 total points
ID: 39661099
1) Try to download and install ProcMon to track down any process or services running under the context of this user.

2) Do you have any type of account auditing enable on your DC's? If not you should enable it until you are able to track down the source of these events.

3) Do you have any scheduled task running under the admin account?
0
 
LVL 10

Accepted Solution

by:
ZenVenky earned 800 total points
ID: 39665917
All the above event IDs that you've mentioned appears when AD Auditing is enabled. Please check the same in any group policies and local group policy as well.
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39667143
Thank you all for the great info .. I will work with these ideas and post back .
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question