event veiwer security

D

David Murphy

hi,
in my event log security i have success audits for( user account
password
set)
for all the following accounts (administrator,myself,guest,help
assistant,support)
i have no knowledge of how these passwords were created for these
accounts, can anyone provide me with any info on what may have caused this.
thanks,
David.

Details, category:account management
user: nt authority\system, type: success audit
Product: Windows Operating System
ID: 628
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_USER_PWD_SET
Message: User Account password set:
Target Account Name:all of the above accounts, Target Domain: computer
name
Target Account ID:computer name\all of the above accounts
Caller User Name:computer name$
Caller Domain:mshome
Caller Logon ID: %6
 
R

Roger Abell

In my experience, messages such as you post, are not
normally seen. This seems to say that the System account
was used to set the password of each named account.
Are you still able to log in ? As an admin ?
If so, I would suggest that you change the passwords of
all accounts, particularly admin accounts, as you can find
the full list by issuing at a cmd prompt
net localgroup administrators
Also, I would make sure that the firewall is on, and that
anything that is defined to come in from outside is supposed
to be there; and then I would run some good malware scanning
tools to see if the machine has known backdoors.
 
D

david

thanks for the advice roger, much appreciated.
-----Original Message-----
In my experience, messages such as you post, are not
normally seen. This seems to say that the System account
was used to set the password of each named account.
Are you still able to log in ? As an admin ?
If so, I would suggest that you change the passwords of
all accounts, particularly admin accounts, as you can find
the full list by issuing at a cmd prompt
net localgroup administrators
Also, I would make sure that the firewall is on, and that
anything that is defined to come in from outside is supposed
to be there; and then I would run some good malware scanning
tools to see if the machine has known backdoors.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
may have caused
this. Target Domain:
computer


.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event 627 Failure of Change Password Attempt 8
How to correlate "caller Logon ID" to user? 0
Security event 1
Failure Audits in the secruity log Event Viewer 3
Help: Event ID: 627 1
AD object security settings getting erased 10
Event ID 632 1
Failed Logon Events [Event ID 4625; Logon Type 8; Procss Name: w3wp; Process: Advapi] 1

Top