Help! Special privileges assigned to ANY user on logon!

[Guest]

I have one XP Professional SP2 machine out of about 200 on my network that
will allow ANY user that logs in to have the following special privileges
assigned:

SeDebugPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeChangeNotifyPrivilege

This is a pretty big issue since now anyone on that machine can load/unload
programs, (debugger user is a pretty powerful privilege). I've removed it
from the network, verified that it only happens on this ONE pc and through
Kaspersky AV, CA Pest Patrol and Trojan Remover from super software against
it. It finds nothing except some malware which was removed. After rebooting,
it still happens. Any user gets their privileges escalated.

I've searched through Technet articles, Googled the issue and can't isolate
the cause. If anyone else has had similar experiences, could you please let
me know some possible solutions? I sent it back to the user with explicit
instructions for him to back up his data files because I am more than likely
going to nuke it and start it over. Thanks!

Steve M.

 

[Harry Johnston]

I have one XP Professional SP2 machine out of about 200 on my network that
will allow ANY user that logs in to have the following special privileges
assigned:

SeDebugPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeChangeNotifyPrivilege

Have you checked who is assigned these privileges in the computers local policy?

Start Menu/Control Panel/Administrative Tools/Local Security Policy

Local Policies/User Rights Assignment

Debug Programs
Backup Files and Directories
Restore Files and Directories

Note that SeChangeNotifyPrivilege is normal and Microsoft strongly recommend
that it not be removed, because the operating system and many applications are
designed with the assumption that it will be turned on.

Harry.

 

[Guest]

That was one of the first things I checked.

I finally did figure it out, almost by accident though, but it was the
solution.
I right clicked my computer, went to manage, then opened users and groups.
Right in the administrator group, one of the previous (as in no longer works
here) IT staff had added "domain users" to the "domain administrators".
Whoever logged onto that one computer had domain access as administrator....

Yeah, scary isn't it?

Scarier is that it should have been one of the FIRST things I checked and
didn't!

I only thought about that after fixing another computer that some user had
local admin rights to, add on a hunch I checked to see if that was really the
case (it was). But then it made me think to check Groups.

Thanks for the help though! I did go back and double check what you had
suggested in case I had missed anything!

Steve Moulden

 

[Harry Johnston]

I right clicked my computer, went to manage, then opened users and groups.
Right in the administrator group, one of the previous (as in no longer works
here) IT staff had added "domain users" to the "domain administrators".
Whoever logged onto that one computer had domain access as administrator....

Wouldn't be domain access, that can only be configured in the active directory
not on the local computer. But local administrator access is bad enough.

Scarier is that it should have been one of the FIRST things I checked and
didn't!

I should have thought of that too. Oh well, can't spot everything I guess.

Harry.