How are you finding out this information at the moment? As best I can tell, you can use object access auditing to get this information - but if you have that on already...
Cheers Ken From: Clubber Lang [mailto:[EMAIL PROTECTED] Sent: Wednesday, 29 October 2008 10:14 AM To: NT System Admin Issues Subject: Unknown account created and added to local admins group An account has been created and added to the local Administrators group on an XP workstation that's a member of a domain. The name of the account is a long string of random small and capital letters like this: wiwr7eyieUEIRU4EYSRI I see in the Security log when the account was added, then a password added, then added to the local Adminsitrators group, and it all occurred within 1 minute. But is there a way to tell if another local or domain account was used to do the adding, and if so which one? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
