Re: Win2003 loses AD user account

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/28/05 

Date: Wed, 28 Sep 2005 02:56:09 -0500

It would seem that someone/something is using administrator credentials for
the domain. If a domain administrator logs onto a domain workstation and the
computer is infected it is possible that the malware use domain
administrator credentials to compromise the domain. Keyboard loggers are
another risk. See if the security logs on the domain controller can pinpoint
the computer that the administrator deleted the account from and you may
have to correlate logon events in the security log to the account deletion
event which may be close in time. Also look in the security logs to see if
it shows logons from any account in the administrators group or domain
admins group from domain computers at times that would be suspicious.

What I would do is to shutdown the problem computer, make sure that
membership in Active Directory Users and Computers for administrators group,
domain admins, and enterprise admins is what it should be, have any users in
these groups change their passwords and force such by checking that user
must change password at next logon , make sure that the use of password
complexity is enabled in the domain, and instruct anyone that is in any
administrator group in the domain to never logon to a domain computer with
their domain administrator account other then know secured domain
workstations used for administrating the domain. Such workstations would be
restricted by security policy to allow only domain administrators to logon
to [including their normal domain accounts that do NOT use the same password
as their admin accounts], be hardened, physically secured from all other
users, and never used for internet browsing. Then I would isolate the
problem computer from the network before you turn it back on and do a fresh
install of the operating system to a formatted hard drive, install security
updates, antivirus, etc and then put it back on the network to see what
happens.

Scanning for malware will not always insure a computer is clean. Root
usually escape detection by malware detection programs. SysInternals has a
free tool called RooKitRevealer that may be helpful in detecting a rootkit
compromise. The other thing to remember is that malware detection tools can
not detect if a computer has been hacked which is a big difference. A hacked
computer could be completely clean but have hard to detect instructions or
scripts on it that can still do damage such as you describe. If problems
continue other computers on the network would also be suspect and I would
use the security logs on domain controllers and possibly domain computers
[enable auditing of "logon" events in Domain Security Policy] to try and
track down the offending computers. Event Comb free from MS can be used to
scan domain computers for Event ID's and text strings such as user names. A
software or hardware problem on a client computer simply does not delete
accounts in AD. The links below may help. --- Steve

http://www.sysinternals.com/utilities/rootkitrevealer.html --- RootKit
Revealer
http://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en
--- Anti Virus in Depth Guide from Microsoft
http://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
MS Small Business Security Guidance

"Mike" <mikeg452@hotmail.com> wrote in message
news:uS1phg$wFHA.1412@TK2MSFTNGP09.phx.gbl...
> My client has a Win2003 file/print server with SP1 and latest updates. AD,
> DNS + DHCP installed and configured. It is the only domain controller on
> the network. All workstations run WinXP SP2. It uses the standard "default
> domain policy" installed with AD.
>
> PROBLEM
> 1 x Winxp machine keeps on losing its network shares (these are
> administrative shares).
> When this happens the data gets "deleted" from the server. The LAN
> settings gets disabled (No TCP/IP or Client for Mic Net)
> The "change" and "Network ID" buttons are disabled.
> The user account in Active Directory is deleted
>
> I have tried the following
> 1. Rebuild user domain profile on wks, to no success
> 2. Reinstalled AD + rejoined all wks to domain
> 3. No errors in Event log as to why this happens. In Security log it show
> that aco*** was removed by administrator. But no one has administrator
> password and wks are not setup with admin rights.
> 4. Tried: Different NIC, Power Supply, another WinXP pc (different model
> as to those on site), different power point, Network point and UTP flylead
> 5. Scanned for viruses using Trend, McAfee = pc was clean (as well as
> domain)
> 6. Scanned for spyware and malware = pc clean (as well as domain)
>
> If anyone can assist with this it would greatly be appreciated. (Ek is
> raadop)
>
> Thanks
> Mike
>
>