General discussion


Domain Users becoming Domain ADMINs

By hblyleven ·
We have a Windows 2000 server with approx 700 users in our school. Periodically all users in our teacher group and student group are being added to the domain Admin group. There is no evidence in any of the logs. The time is never the same. It can occur 1-3 times a day or not for over a month. We think that all our security settings are ok but now we are stumped.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Domain Users becoming Dom ...

Sounds like you got hacked cuz someone has to change their account. Accounts don't change their status by themselves.

as a precaution, change the name of the domain administrators account, and change the password. Don't use the domain admin group but a power user group and see if the changes migrate to power user group. If so, you've got someone looking at your login .

Collapse -

by Ian Mclaws In reply to Domain Users becoming Dom ...

There are many ways for a hacker to elevate his\her account to Domain Admin status. I won't go into some of them here, as they are pretty easy and would be dangerous in users hands if not protected.

The best way I know of securing the membership of the Domain Admins group is through Group Policy, in the "Restricted Groups" GPO. If set properly here, even a Domain Admin can't give another user membership in the Domain Admins group unless the account is specified in this GPO.

Let me know if you need a hand configuring it.

Good luck,


Collapse -

by Ian Mclaws In reply to

A small note on the previous answer...

Unfortunately, all built in administrator and guest accounts have exactly the same SID (security identifier) in all deployments of MS Active Directory. A better cracker knows to do what the system does...look for the SID, not the name. Therefore, changing the admin name only stops the amateurs...

Related Discussions

Related Forums