"admin$" account suddenly appeared on W2003 SBS, where did this come from?

By john ·
I just noticed that there is an account called "admin$" on this Windows 2003 Small Business Server. It's a member of the "Administrators" and "Domain Members" groups. The server is not running any unusual programs, just ISA, Exchange, file sharing, antivirus software, spam filtering software, etc. I know this isn't a normal account to see because I have vast experience with Windows server; it apparantly showed up just recently. The server did undergo a hardware upgrade right before I noticed the mystery account. My boss who did the upgrade said he didn't create it.

I'm pretty tough on security so it seems unlikely that it's some sort of adware/spyware/virus, and there have been no indications of anything like that. No unusual firewall traffic. I disabled the account, of course. Has anyone else seen something like this?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

ADMIN$ is a service share

by The Scummy One In reply to "admin$" account suddenly ...

without ADMIN$ and IPC$ nobody would be connecting to the server properly.

Collapse -

admin$ is a hidden share as is IPC$

by CG IT In reply to ADMIN$ is a service share

if you can see admin$ using a domain user account in the list of shares available for domain users, [then you navigate,my network places, <sbs server> and double click on the sbs server, there will be a list of shares] then it's not being hidden.

you should check to see if the admin$ was inadvertently published in Active Directory

Collapse -

Thank you everyone who answered...

by john In reply to admin$ is a hidden share ...

The admin$ share must have been inadvertently published in AD. Since I've never had any reason to publish shares in AD it didn't occur to me that this could be the case. However since Windows won't let me modify this share (or any other administrative share) I can't see how this could be user error. It must be some software glitch.

Collapse -

See if this will help

by Jacky Howe In reply to "admin$" account suddenly ...

Can't really help you on how the account was created but you could check your logs and see if it was accessed. Also dates and times. Check to see if the main administrator account hasn't been interfered with and anything else that needs administrator priveleges to run. IE: Backup

It could also run a new service so check to see if anything new has been installed.

Related Discussions

Related Forums