TechRepublic|Forums|Windows

Windows

General discussion

  • Creator
    Topic
  • November 10, 2004 at 10:55 am #2285325

    Domain Users becoming Domain ADMINs

    Locked

    by hblyleven · about 17 years, 6 months ago

    We have a Windows 2000 server with approx 700 users in our school. Periodically all users in our teacher group and student group are being added to the domain Admin group. There is no evidence in any of the logs. The time is never the same. It can occur 1-3 times a day or not for over a month. We think that all our security settings are ok but now we are stumped.

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Comments

  • Author
    Replies
    • November 10, 2004 at 12:03 pm #3312919

      Reply To: Domain Users becoming Domain ADMINs

      by cg it · about 17 years, 6 months ago

      In reply to Domain Users becoming Domain ADMINs

      Sounds like you got hacked cuz someone has to change their account. Accounts don’t change their status by themselves.

      as a precaution, change the name of the domain administrators account, and change the password. Don’t use the domain admin group but a power user group and see if the changes migrate to power user group. If so, you’ve got someone looking at your login .

    • November 11, 2004 at 8:58 am #3312668

      Reply To: Domain Users becoming Domain ADMINs

      by ian mclaws · about 17 years, 6 months ago

      In reply to Domain Users becoming Domain ADMINs

      There are many ways for a hacker to elevate his\her account to Domain Admin status. I won’t go into some of them here, as they are pretty easy and would be dangerous in users hands if not protected.

      The best way I know of securing the membership of the Domain Admins group is through Group Policy, in the “Restricted Groups” GPO. If set properly here, even a Domain Admin can’t give another user membership in the Domain Admins group unless the account is specified in this GPO.

      Let me know if you need a hand configuring it.

      Good luck,

      IanM

      • November 11, 2004 at 9:01 am #3312664

        Reply To: Domain Users becoming Domain ADMINs

        by ian mclaws · about 17 years, 6 months ago

        In reply to Reply To: Domain Users becoming Domain ADMINs

        A small note on the previous answer…

        Unfortunately, all built in administrator and guest accounts have exactly the same SID (security identifier) in all deployments of MS Active Directory. A better cracker knows to do what the system does…look for the SID, not the name. Therefore, changing the admin name only stops the amateurs…

  • Author
    Replies
Viewing 1 reply thread