Windows Audit Log - Strange Event - 4738 - UAC Change
We just purchased SolarWinds LEM and notice a strange message. Yesterday around 14:38, changes were made to many of our service and administrative accounts. Source Logon ID is 0x3e6 and the Source Account is Anonymous Logon. This is the part that concerns me. Does anyone know what this means or what would cause it? There is information out there, but I simply do not have time to parse through it all. I thank everyone in advance for your help.
ASKER
Great info, thank you so much. Do you have anything that cites your statements and references these errors? I hope that doesn't come across the wrong way. In our environment, they need to see things. :)
The Caller Logon ID in the event log is basically a logon session ID on the local computer. This will allow you to chase down the user SID, authentication package, logon type, logon server, and when the user logged on and if you are really interested, the processes running in that logon session.
This information can be further extracted with LogonSessions
- http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx
(you can tell logonsessions to dump the processes running under the logon session with -p but that usually isn’t all that useful for that session because you will often see a bunch of svchost processes which really doesn’t help.)
Just want to be safe that no other unintended process is running but as mentioned it can be in guise of svchost.exe...nonetheless,
It may be expected event though but is always to be on the conservative side esp if this is the first time.
You can try below if you have other event id to sieve out more info to the event
(where XXXX is the eventid and in this instance is 4780)
- http://eventopedia.cloudapp.net/default.aspx?text=XXXX
- http://www.eventid.net/display.asp?eventid=XXXX
This information can be further extracted with LogonSessions
- http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx
(you can tell logonsessions to dump the processes running under the logon session with -p but that usually isn’t all that useful for that session because you will often see a bunch of svchost processes which really doesn’t help.)
Just want to be safe that no other unintended process is running but as mentioned it can be in guise of svchost.exe...nonetheless,
It may be expected event though but is always to be on the conservative side esp if this is the first time.
You can try below if you have other event id to sieve out more info to the event
(where XXXX is the eventid and in this instance is 4780)
- http://eventopedia.cloudapp.net/default.aspx?text=XXXX
- http://www.eventid.net/display.asp?eventid=XXXX
And to add on it is good to know more on "AdminSDHolder". Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification.
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
Microsoft has expanded the number of objects that are secured by AdminSDHolder, introduced the ability to exclude certain groups from the AdminSDHolder and added the ability to control how often AdminSDHolder runs. It is good to note in the article relating to AdminSDHolder works and what cleanup is required when you remove a user from a protected group...this may be false alarm by AD security service ...
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
Each Active Directory domain has an object called AdminSDHolder, which resides in the System container of the domain. The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups...Every hour, a background process runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the size or the binary string is different, the security descriptor on the object is overwritten by the security descriptor from the AdminSDHolder objectA fairly large number of default users and groups are protected by AdminSDHolder. One thing to keep in mind is that users are protected by AdminSDHolder if they have direct or transitive membership in a security or distribution group. Distribution groups are included because a distribution group can be converted to a security group.
Microsoft has expanded the number of objects that are secured by AdminSDHolder, introduced the ability to exclude certain groups from the AdminSDHolder and added the ability to control how often AdminSDHolder runs. It is good to note in the article relating to AdminSDHolder works and what cleanup is required when you remove a user from a protected group...this may be false alarm by AD security service ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated