Re: possible security worry

Hi
Turn on auditing as Austing suggested, but remember that sometimes knowing
eachother PW can lead to situations like this one, that's why the PW
shouldn't be given to anyone, so it's a good idea to force these Admins to
change their PWs, and enable auditing, by doing this you'll have more
garantees that no other user have someone's password and is making this
things.
--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"TwistedPair" <twistedpair@xxxxxxxx> wrote in message
news:eVI3NzVHIHA.5360@xxxxxxxxxxxxxxxxxxxxxxx
All,
I have a curious problem where stuff is changing in our AD domain, but
there's no record of those changes in the event log. For instance, just
recently, a couple of users needed to be added back into a group that they
were previously members of.

1. None of the administrators are admitting to the change.

2. Nothing shows up in the security event logs with regard to the removal
of those accounts although I see the events for the user being added back
in.

3. The reason for it not appearing in the event log could not possibly be
due to recency problems, meaning, the event had to have occurred before
the log events for it were overwritten (it happened just a couple of days
ago).

4. DCdiag, netdiag, and the AD-related event logs are showing no problems.

5. Additionally other suspicious event have happened, like password
expiration settings changing and no record of that occurring in the event
log . . . Things like that.

I'm not liking the conclusions this is leaving me with as you can imagine.
If we've been compromised, I need concrete evidence. If any of you happen
to have any ideas on possible other things to check, I'd be greatly
interested.

Thanks!



.