is it possible to log on to SBS server via local admin unauthorised?

Hi, I am facing issues with a server where, every time I log on I am having to revert back to the domain to be able to logon.   When I have logged on in the past it has always defaulted to the domain\administrator so I enter the password and I am straight in.

recently when I then go to RDP back in, first of all I am getting randomly kicked off and secondly its as if there is another account that someone else is logging on to.  

I believe its not possible to have a local admin account on a DC but how do i check to see if someone is logging on to this server without authorisation, is there some logging software or a quick way to check logs etc?

I may just be being paranoid but when I last logged on there were some software that was open for auditing and I know I didn't open it and as far as I am aware or my client, nobody else has access..

Thoughts please?

Thanks

Chris
chrishoy-iisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AaronCommented:
Check the security log for event ID 528.  That is the event for a successful logon.  If the other user is using the same account as you (kicking you off the sessions) then this won't work, but a quick password change would probably fix that.
0
Andy MInternal Systems ManagerCommented:
Hi Chris

No, an SBS server is always a domain controller so there won't be any local accounts - only the domain accounts. The 'Administrator' account name (and also admin) is a common target for hacking attempts so depending on how strong your password is it may have been compromised.

In this instance I would firstly prevent internet access to the server.
Reset the administrator password to something stronger (or even better - setup a domain admin account with a different name and disable the administrator account - make sure any services run under the new account before doing so)
I would then run a full anti-virus and anti-spyware scan on the system, check for any new applications that may have been installed.
It would also be worth checking through your AD to see if any strange looking/unknown accounts have been setup which may be also used to allow access to the server.

To check on logins the first port of call would be the Security log in event viewer as any login is recorded in there. There is also many different auditing software available as well as some batch/vb scripts that can create a log of when users log on when run as part of a startup script.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chrishoy-iisAuthor Commented:
Checked all of the above and now secure from future access by anybody else.

Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.