Re: Win2003 loses AD user account

From: Mike (mikeg452_at_hotmail.com)
Date: 09/28/05 

Date: Wed, 28 Sep 2005 10:13:16 +0200

Thanks Steve,

Will try out as mentioned below and post back the resluts

Mike

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OiZe1IAxFHA.2960@tk2msftngp13.phx.gbl...
> It would seem that someone/something is using administrator credentials
> for the domain. If a domain administrator logs onto a domain workstation
> and the computer is infected it is possible that the malware use domain
> administrator credentials to compromise the domain. Keyboard loggers are
> another risk. See if the security logs on the domain controller can
> pinpoint the computer that the administrator deleted the account from and
> you may have to correlate logon events in the security log to the account
> deletion event which may be close in time. Also look in the security logs
> to see if it shows logons from any account in the administrators group or
> domain admins group from domain computers at times that would be
> suspicious.
>
> What I would do is to shutdown the problem computer, make sure that
> membership in Active Directory Users and Computers for administrators
> group, domain admins, and enterprise admins is what it should be, have any
> users in these groups change their passwords and force such by checking
> that user must change password at next logon , make sure that the use of
> password complexity is enabled in the domain, and instruct anyone that is
> in any administrator group in the domain to never logon to a domain
> computer with their domain administrator account other then know secured
> domain workstations used for administrating the domain. Such workstations
> would be restricted by security policy to allow only domain administrators
> to logon to [including their normal domain accounts that do NOT use the
> same password as their admin accounts], be hardened, physically secured
> from all other users, and never used for internet browsing. Then I would
> isolate the problem computer from the network before you turn it back on
> and do a fresh install of the operating system to a formatted hard drive,
> install security updates, antivirus, etc and then put it back on the
> network to see what happens.
>
> Scanning for malware will not always insure a computer is clean. Root
> usually escape detection by malware detection programs. SysInternals has a
> free tool called RooKitRevealer that may be helpful in detecting a rootkit
> compromise. The other thing to remember is that malware detection tools
> can not detect if a computer has been hacked which is a big difference. A
> hacked computer could be completely clean but have hard to detect
> instructions or scripts on it that can still do damage such as you
> describe. If problems continue other computers on the network would also
> be suspect and I would use the security logs on domain controllers and
> possibly domain computers [enable auditing of "logon" events in Domain
> Security Policy] to try and track down the offending computers. Event Comb
> free from MS can be used to scan domain computers for Event ID's and text
> strings such as user names. A software or hardware problem on a client
> computer simply does not delete accounts in AD. The links below may
> elp. --- Steve
>
> http://www.sysinternals.com/utilities/rootkitrevealer.html --- RootKit
> Revealer
> http://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en
> --- Anti Virus in Depth Guide from Microsoft
> http://www.microsoft.com/smallbusiness/support/computer-security.mspx ---
> MS Small Business Security Guidance
>
> "Mike" <mikeg452@hotmail.com> wrote in message
> news:uS1phg$wFHA.1412@TK2MSFTNGP09.phx.gbl...
>> My client has a Win2003 file/print server with SP1 and latest updates.
>> AD, DNS + DHCP installed and configured. It is the only domain controller
>> on the network. All workstations run WinXP SP2. It uses the standard
>> "default domain policy" installed with AD.
>>
>> PROBLEM
>> 1 x Winxp machine keeps on losing its network shares (these are
>> administrative shares).
>> When this happens the data gets "deleted" from the server. The LAN
>> settings gets disabled (No TCP/IP or Client for Mic Net)
>> The "change" and "Network ID" buttons are disabled.
>> The user account in Active Directory is deleted
>>
>> I have tried the following
>> 1. Rebuild user domain profile on wks, to no success
>> 2. Reinstalled AD + rejoined all wks to domain
>> 3. No errors in Event log as to why this happens. In Security log it show
>> that aco*** was removed by administrator. But no one has administrator
>> password and wks are not setup with admin rights.
>> 4. Tried: Different NIC, Power Supply, another WinXP pc (different model
>> as to those on site), different power point, Network point and UTP
>> flylead
>> 5. Scanned for viruses using Trend, McAfee = pc was clean (as well as
>> domain)
>> 6. Scanned for spyware and malware = pc clean (as well as domain)
>>
>> If anyone can assist with this it would greatly be appreciated. (Ek is
>> raadop)
>>
>> Thanks
>> Mike
>>
>>
>
>

Quantcast