James is correct,
Also I would look to implement a restricted Groups GPO which will rip any accounts you don't want in the local administrators, Power Users and any other Local or Global Groups that are sensitive in nature. You should see the eventlogs light up each time the GPO is applied if someone or something has put an extra user in your local administrators group. Now for the 64M dollar question, Do you know if you are currently having a penetration test or security testing on your farm going on that your bosses didn't tell you was going on. I have ran into that once before, but Id side on the cautious side and check your other systems and see if something larger isn't in store. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 ________________________________ From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2008 10:13 AM To: NT System Admin Issues Subject: RE: Unknown account created and added to local admins group Wait a sec - the event showing when the account was created (624) should contain information on who created the account. Likewise with the password set, which would be a 628. When we change the local admin password on our servers, these events are logged, and it tells us who performed the action. See below for an example - I just created a test account on my workstation and got the below event ID 624. Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 624 Date: 10/29/2008 Time: 7:04:52 AM User: <Domain>\<username> Computer: xxxxxxxx Description: User Account Created: New Account Name: testadmin New Domain: xxxxxxxx New Account ID: xxxxxxxx\testadmin Caller User Name: <username used> Caller Domain: <Domain> Caller Logon ID: (0x0,0x53444) Privileges - Hope this information helps. Object auditing is going to tell you if the new account is accessing or doing anything to files/folders. The naming convention for your account sounds extremely suspicious - I would be concerned about a virus infection on that PC. Thanks, James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services ________________________________ From: Clubber Lang [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2008 7:14 PM To: NT System Admin Issues Subject: Re: Unknown account created and added to local admins group CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
