ITinVA

We have an Enterprise network and no one really uses the local admin accounts, I just happen to notice it and when I researched more machines that's when I realized it had done it throughout the network. Good news- We did figure it out (Thanx Spyderman2) as we obviously have numerous Domain Admins with rights to change GPO's. Someone (who didn't know how to do it CORRECTLY) changed the GPO in "Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Rename administrator account, and instead of correctly disabling the service (by UNchecking the box) they ENABLED it by checking, then put the WORD "Disabled", hence renaming all Administrator accounts to "Disabled". Thanks for the help and Oh so glad we got it figured out!

That is my thought too!! Only we are locked down pretty tight with our firewalls...Nothing in the logs of any suspicious activity...

A strange situation has started to occur on our networks and we have not been able to pinpoint it... SomeONE or someTHING is changing our Local Administrator account name to Disabled. Not changing the password or anything else. Looks like some type of script could be doing it, only nothing has been found on either DC (we are operating in a W2K environment). Also strange is that there is no consistency- the names were not changed at the same time of day and some not even on the same day. Cannot pinpoint a specific date/time though as many machines have no entries in the Event Logs. We have tried changing them back to "Administrator" and later they are changed back. Any suggestions and/or insight??