ITinVA Posted January 13, 2005 Share Posted January 13, 2005 A strange situation has started to occur on our networks and we have not been able to pinpoint it...SomeONE or someTHING is changing our Local Administrator account name to Disabled. Not changing the password or anything else. Looks like some type of script could be doing it, only nothing has been found on either DC (we are operating in a W2K environment). Also strange is that there is no consistency- the names were not changed at the same time of day and some not even on the same day. Cannot pinpoint a specific date/time though as many machines have no entries in the Event Logs. We have tried changing them back to "Administrator" and later they are changed back. Any suggestions and/or insight?? Link to comment Share on other sites More sharing options...
matrix0978 Posted January 13, 2005 Share Posted January 13, 2005 a hacker with no life wanting to go to jail?! Link to comment Share on other sites More sharing options...
ITinVA Posted January 13, 2005 Author Share Posted January 13, 2005 That is my thought too!! Only we are locked down pretty tight with our firewalls...Nothing in the logs of any suspicious activity... Link to comment Share on other sites More sharing options...
matrix0978 Posted January 13, 2005 Share Posted January 13, 2005 Error in system files? Link to comment Share on other sites More sharing options...
Devil_666 Posted January 13, 2005 Share Posted January 13, 2005 This may sound dumb mate, but change the local admin passwords on the machines as some joker may be playing with you Link to comment Share on other sites More sharing options...
Spyder2k Posted January 14, 2005 Share Posted January 14, 2005 Check your GPOs (rsop.msc on client machines) and logon scripts. If you've got DCs then no one should be logging into a local account. You should also look into changing all the local admin passwords (use compmgmt.msc and connect to the client PCs)You can also set the name of the local admin account via GPOs (I'm on XP SP2, not sure about 2K Serv) "Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Rename administrator account, though this solution does not help figure out the cause of the problem. Link to comment Share on other sites More sharing options...
epic Posted January 14, 2005 Share Posted January 14, 2005 This may sound dumb mate, but change the local admin passwords on the machines as some joker may be playing with you That would be my thought as well. Change the passphrase and create multiple admin accounts with specific privileges assigned to each individual who needs that specific access. No need to have 1 admin account to globaly do changes. There should only be 1 superadmin.Btw... always use 8-12 characters with symbols (i.e. o12fr@nce^$k) Link to comment Share on other sites More sharing options...
matrix0978 Posted January 14, 2005 Share Posted January 14, 2005 Change the passphrase and create multiple admin accounts with specific privileges assigned to each individual who needs that specific access. No need to have 1 admin account to globaly do changes. There should only be 1 superadmin.Agreed. Link to comment Share on other sites More sharing options...
ITinVA Posted January 14, 2005 Author Share Posted January 14, 2005 We have an Enterprise network and no one really uses the local admin accounts, I just happen to notice it and when I researched more machines that's when I realized it had done it throughout the network.Good news- We did figure it out (Thanx Spyderman2) as we obviously have numerous Domain Admins with rights to change GPO's. Someone (who didn't know how to do it CORRECTLY) changed the GPO in "Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Rename administrator account, and instead of correctly disabling the service (by UNchecking the box) they ENABLED it by checking, then put the WORD "Disabled", hence renaming all Administrator accounts to "Disabled".Thanks for the help and Oh so glad we got it figured out! Link to comment Share on other sites More sharing options...
JoeMSFN Posted January 14, 2005 Share Posted January 14, 2005 That is histerically funny!!!!!!!!! What a novel way to "disable" the admimistrator account.... HA HA HA!!! Thank you ITinVA for the follow up... you just got my morning off to a good start....This is good material for those admin joke sites.... Link to comment Share on other sites More sharing options...
epic Posted January 14, 2005 Share Posted January 14, 2005 lmao, so original. Link to comment Share on other sites More sharing options...
matrix0978 Posted January 14, 2005 Share Posted January 14, 2005 rofl. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now