Thanks, James. Yeah, the user was the same for all events: NT AUTHORITY\SYSTEM
624 - User Account Created - 9:19:13 AM 626 - User Account Enabled - 9:19:13 AM 642 - User Account Changed - 9:19:13 AM 628 - User Account Password Set - 9:19:13 AM 636 - Security Enabled Local Group Member Added - 9:19:14 AM 637 - Security Enabled Local Group Member Removed - 9:21:28 AM 633 - Security Enabled Global Group Member Removed - 9:21:28 AM 630 - User Account Deleted - 9:21:28 AM On Wed, Oct 29, 2008 at 7:12 AM, James Winzenz <[EMAIL PROTECTED]>wrote: > Wait a sec – the event showing when the account was created (624) should > contain information on who created the account. Likewise with the password > set, which would be a 628. When we change the local admin password on our > servers, these events are logged, and it tells us who performed the action. > See below for an example – I just created a test account on my workstation > and got the below event ID 624. > > > > Event Type: Success Audit > > Event Source: Security > > Event Category: Account Management > > Event ID: 624 > > Date: 10/29/2008 > > Time: 7:04:52 AM > > User: <Domain>\<username> > > Computer: xxxxxxxx > > Description: > > User Account Created: > > New Account Name: testadmin > > New Domain: xxxxxxxx > > New Account ID: xxxxxxxx\testadmin > > Caller User Name: <username used> > > Caller Domain: <Domain> > > Caller Logon ID: (0x0,0x53444) > > Privileges - > > > > Hope this information helps. Object auditing is going to tell you if the > new account is accessing or doing anything to files/folders. The naming > convention for your account sounds extremely suspicious – I would be > concerned about a virus infection on that PC. > > > > Thanks, > > > > James Winzenz > > Infrastructure Systems Engineer II - Security > > Pulte Homes Information Services > > > ------------------------------ > > *From:* Clubber Lang [mailto:[EMAIL PROTECTED] > *Sent:* Tuesday, October 28, 2008 7:14 PM > *To:* NT System Admin Issues > *Subject:* Re: Unknown account created and added to local admins group > > > > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately > by email and delete the message and any file attachments from your > computer. Thank you. > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
