local passwords mysteriously changed on several networked computer

[Guest]

Greetings,

Last week I came into work only to find that someone had changed my windows
login password for that local computer. I thought this was odd so I went to
some other computers in the same room and tried my login credentials only to
find that my password had been changed for every single computer we own.

I'll describe my configuration in a bit of detail. To let you know where I'm
coming from I work at an academic institution. I am responsible for
building/maintaining 12 computers in total. I'm not a professional nor do I
have any sort of training however am somewhat savvy in the area of casual
computing so I have been appointed my unofficial position. Subnetting, and
assigning of IPs is done by paid individuals higher up in the networking
hierarchy. When it all boils down I simply take IPs from them and build
machines and get them up on the network for my department to use. I'm still
learning so please have some patience with me:

12 computers in total: 2 have Windows NT, 8 have windows 2000, and the other
two have Windows XP. Some computers are on different floors around the
building. All IPs have the following form x.x.x.y. the last octet , y ,
therefore identifies uniquely each machine. There is only one PC that has an
IP address of the form x.x.x2.y. (third octet different from all others).
Other people in the same building (but different department) will have
machines with IPs that have different y's but I have no accounts on them so I
won't worry about them for now.

I do not use any sort of a domain. All computers can see each other and I
set up our data directories so they are shared. So long as anyone has an
account on any two computers, with the same account login/password, and I
have included them in each share with at least read access, they can access
the data directory on any computer using their credentials. I am not the only
administrator of each machine.

So now back to the main problem (sorry if I was a bit too descriptive ) -
How on earth is it possible that someone/something has changed ALL my account
passwords for EACH separate machine, aside from doing it manually for each
machine? Is there some windows glitch I'm not aware of? Maybe a feature that
resets all passwords on local machines? Is there a trojan/virus that could
have done it? I'm not ruling out that one of the other admins has done it but
I'd consider that the least likely possibility at this time.

I'm open to all ideas and suggestions. I'd really like to get to the bottom
of this. Thanks for your time.

Andy

 

[Frankster]

I'm open to all ideas and suggestions. I'd really like to get to the

bottom
of this. Thanks for your time.

Assuming you tested this password change by attempted logins, I'd suspect
that you were typing the wrong username.

-Frank

 

[Kurt]

If your username was typed correctly and the password was actually changed,
someone either has administrative rights to do this, knows the password for
your account or another administrative account, and has some sort of access
to the computers. There are plenty of ways to do this by anyone with a
little knowledge of some "tools" and access to an administrative account.
I'd go about changing ALL of the administrative account passwords ASAP. BTW,
if you did have a domain, you would only have to do this once for each
account. With your current setup, you'll be doing it 12 times for each
account. If you can't get in any other way, you can use the nt offline
password recovery tool (Google) to reset your password (12 times).

....kurt

 

[Pegasus \(MVP\)]

Greetings,

Last week I came into work only to find that someone had changed my windows
login password for that local computer. I thought this was odd so I went to
some other computers in the same room and tried my login credentials only to
find that my password had been changed for every single computer we own.

I'll describe my configuration in a bit of detail. To let you know where I'm
coming from I work at an academic institution. I am responsible for
building/maintaining 12 computers in total. I'm not a professional nor do I
have any sort of training however am somewhat savvy in the area of casual
computing so I have been appointed my unofficial position. Subnetting, and
assigning of IPs is done by paid individuals higher up in the networking
hierarchy. When it all boils down I simply take IPs from them and build
machines and get them up on the network for my department to use. I'm still
learning so please have some patience with me:

12 computers in total: 2 have Windows NT, 8 have windows 2000, and the other
two have Windows XP. Some computers are on different floors around the
building. All IPs have the following form x.x.x.y. the last octet , y ,
therefore identifies uniquely each machine. There is only one PC that has an
IP address of the form x.x.x2.y. (third octet different from all others).
Other people in the same building (but different department) will have
machines with IPs that have different y's but I have no accounts on them so I
won't worry about them for now.

I do not use any sort of a domain. All computers can see each other and I
set up our data directories so they are shared. So long as anyone has an
account on any two computers, with the same account login/password, and I
have included them in each share with at least read access, they can access
the data directory on any computer using their credentials. I am not the only
administrator of each machine.

So now back to the main problem (sorry if I was a bit too descriptive ) -
How on earth is it possible that someone/something has changed ALL my account
passwords for EACH separate machine, aside from doing it manually for each
machine? Is there some windows glitch I'm not aware of? Maybe a feature that
resets all passwords on local machines? Is there a trojan/virus that could
have done it? I'm not ruling out that one of the other admins has done it but
I'd consider that the least likely possibility at this time.

I'm open to all ideas and suggestions. I'd really like to get to the bottom
of this. Thanks for your time.

Andy

Your method of checking for a changed password, by attempting
to log on, is unreliable. A far more reliable method goes like this:
- Log on under some admin account.
- Type this command: net user andy

This will tell you exactly when the password was last changed.

 

[Guest]

news:[email protected]...

Your method of checking for a changed password, by attempting
to log on, is unreliable. A far more reliable method goes like this:
- Log on under some admin account.
- Type this command: net user andy

This will tell you exactly when the password was last changed.

I did this as you suggested. You are right, for many of the machines it
appears that there has not been a password change near the time that this
happened and further the dates reported for the last change suggest the last
person to do it was me.

But I'm still stumped here, why are all our PCs suddenly rejecting my login
credentials? I still have accounts on all the computers, my password just
doesn't seem to get me in. And yes, I am definitely typing in my
login/password, which I've used for years on a daily basis, correctly.

Is there any known security feature that can flag all computers with and
account for "Andy" to not let that user log in? I should have also mentioned
that I am the only user that seems to be having the problem. Thanks again.

Andy

 

[Pegasus \(MVP\)]

I did this as you suggested. You are right, for many of the machines it
appears that there has not been a password change near the time that this
happened and further the dates reported for the last change suggest the last
person to do it was me.

But I'm still stumped here, why are all our PCs suddenly rejecting my login
credentials? I still have accounts on all the computers, my password just
doesn't seem to get me in. And yes, I am definitely typing in my
login/password, which I've used for years on a daily basis, correctly.

Is there any known security feature that can flag all computers with and
account for "Andy" to not let that user log in? I should have also mentioned
that I am the only user that seems to be having the problem. Thanks again.

Andy

What you describe sounds very much like an issue caused
by getting validated by a domain controller (until now) and
getting validated locally (from now onwards). Win2000 has
no mechanism for rejecting user passwords from one day
to the next, only for forcing a password change.

 

[John Wunderlich]

I did this as you suggested. You are right, for many of the
machines it appears that there has not been a password change near
the time that this happened and further the dates reported for the
last change suggest the last person to do it was me.

But I'm still stumped here, why are all our PCs suddenly rejecting
my login credentials? I still have accounts on all the computers,
my password just doesn't seem to get me in. And yes, I am
definitely typing in my login/password, which I've used for years
on a daily basis, correctly.

Is there any known security feature that can flag all computers
with and account for "Andy" to not let that user log in? I should
have also mentioned that I am the only user that seems to be
having the problem. Thanks again.

If you would entertain the idea that someone is doing this deliberately
to you, there is the program "addusers.exe" provided in the W2K
resource kit that can remotely mass-modify user accounts. In addition
to mass-creating accounts, this program can also mass-modify, remotely
disable accounts, or mass-delete accounts as well. The person using
this program would need to have administrator priviledges on all target
machines. For some more info, see:

"AddUsers Automates Creation of a Large Number of Users"
<http://support.microsoft.com/default.aspx?scid=kb;en-us;199878>

HTH,
John

 

[John Wunderlich]

What you describe sounds very much like an issue caused
by getting validated by a domain controller (until now) and
getting validated locally (from now onwards). Win2000 has
no mechanism for rejecting user passwords from one day
to the next, only for forcing a password change.

.... unless you consider "addusers.exe" has the ability to disable an
account remotely (which exhibits the same symptoms as a changed
password for someone trying to logon).

-- John

 

[josepe]

For Win2000 Prof some updates of 2005 enable password expiry for local
users as a security policy.
If you think there is a corrupt library of user validation try
alternative logon application. For example the Novell Client-32 v491
-free from download.novell.com - enable a alternative client for
Microsoft networks -Novell servers can or not be present-

 

[Pegasus \(MVP\)]

... unless you consider "addusers.exe" has the ability to disable an
account remotely (which exhibits the same symptoms as a changed
password for someone trying to logon).

-- John

If so then the OP would see that the account is disabled
when running the command "net user xxx".

 

[Guest]

Well after doing some detective work I think I have a good idea who is
behind it. I'm not sure if they used this remote program (this sounds like a
dangerous program) or not however they do have access to an admin account
either way. I'm not sure what they were after either, maybe wanted to change
some files with my name for the "last modified", I'm not sure, my only guess.

I guess I really just wanted to know if there was a logical explanation
before I started throwing accusations around. Seems like foul play is the
only reason. BTW I should have thought of this before my previous reply: of
course all the dates for my last password will be reasonable, since I changed
them all back before reading about the net user command 2 days ago, my bad.

 

[Frankster]

I guess I really just wanted to know if there was a logical explanation

before I started throwing accusations around.

I know you have to do what you have to do. But... large companies with
competent IT staffs have written Security Policies, which dictate what
individuals are privy to the Admin password or Admin privileges. One reason
they have this is (other than to protect their system - surprise!) so they
will have ammunition and justification when and if they have to "throw
accusations".

Anyhow, maybe now would be a good time for you to write such a policy.

-Frank

 

[josepe]

What kind of lan need a authentication service of thirds like RSA?
Medium network? Lan of around 100 pcs?
What do you think.

 

[Frankster]

How stringent your security policy is does not depend on the size of the
network. It depends on your overall security requirements based on a
carefully considered risk/cost analysis. And (DON'T FORGET THIS!) a pitch to
management to obtain their "buy-in" to your recommended actions. Writing a
security policy can be tough, but, writing a security policy is easy
compared to fielding all the complaints you will receive afterward. Make
sure you have management behind you before you implement.

RSA is one good security step for controlling authentication issues (there
are tons more things to consider in a security policy). RSA can be quite
expensive for some companies. May be worth it though. I have used it and
like it.

-Frank