Did someone link a new GPO or edit a GPO that affects the machine?
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Friday, March 10, 2006 11:39 AM To: [email protected] Subject: RE: [ActiveDir] OT: Netlogon Service Well if they did why wouldn't I be able to restart the services, I am thinking there is more to it than just someone stopped the ports, but I will look into the auditing, just to be sure. Thanks, Aaron -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Thu 3/9/2006 11:07 PM To: [email protected] Cc: Subject: RE: [ActiveDir] OT: Netlogon Service For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services. Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine? Cheers Ken _____ From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Fri 3/10/2006 4:47 PM To: [email protected] Subject: [ActiveDir] OT: Netlogon Service Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron
<<attachment: winmail.dat>>
