J
John
Is there a way to see if someone added a user account to our active
directory that dows not show in ADUC?
directory that dows not show in ADUC?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
P
Paul Bergson [MVP-DS]
What do you mean doesn't show up in ADUC? If it is a user object within the
name space of AD domain it should show up (Unless of course someone modified
permissions on the object).
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
name space of AD domain it should show up (Unless of course someone modified
permissions on the object).
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
J
John
That's what I am trying to find out. How can I check the permissions if the
object doesn't show. Saw a strange user named "sistem" and I immediently
deactivated that account, and changed the server password. I am looking to
see if any other unusual activity. Anything I should look for?
object doesn't show. Saw a strange user named "sistem" and I immediently
deactivated that account, and changed the server password. I am looking to
see if any other unusual activity. Anything I should look for?
P
Paul Bergson [MVP-DS]
I would find it very unlikely that there is something that hidden if you are
logged on as the domain admin.
Just use the "Saved Queries" and create a query to return all users.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
logged on as the domain admin.
Just use the "Saved Queries" and create a query to return all users.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
J
John
Thanks.
Paul Bergson said:I would find it very unlikely that there is something that hidden if you
are logged on as the domain admin.
Just use the "Saved Queries" and create a query to return all users.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
A
Ace Fekay [MVP]
In
Do you have an FTP site that may have been compromised? If you found a user
account such as 'sistem,' I would be leary as to think what else may have
been added or compromised, such as an auto-instance of ServU or WarFTP
server installed along with it?
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
John said:Thanks.
Do you have an FTP site that may have been compromised? If you found a user
account such as 'sistem,' I would be leary as to think what else may have
been added or compromised, such as an auto-instance of ServU or WarFTP
server installed along with it?
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
J
John
That is exactly what happened. Don't see anything yet, but keeping a close
eye on it. Any suggestions?
eye on it. Any suggestions?
A
Ace Fekay [MVP]
In
Scan it using a scan tool checking each and every port to see which is
listening. You can also run TCPView to find what ports are open and what
executable is listening. This should tell you what port the FTP server, that
is if it is FTP, is running on. Once you find out, FTP into it on that port
and see what data shows up and search your drive for it. If it's a folder
that you can't delete or find, there are methods to delete them.
Let me know what you find out.
Ace
John said:That is exactly what happened. Don't see anything yet, but keeping a
close eye on it. Any suggestions?
Scan it using a scan tool checking each and every port to see which is
listening. You can also run TCPView to find what ports are open and what
executable is listening. This should tell you what port the FTP server, that
is if it is FTP, is running on. Once you find out, FTP into it on that port
and see what data shows up and search your drive for it. If it's a folder
that you can't delete or find, there are methods to delete them.
Let me know what you find out.
Ace
J
John
Looks like everything is ok for now. I have been running Process Explorer
and TCPView and do not see anything our of the ordinary. In addition, I have
a logon script that tracks logons on our network and places them in a access
database on a remote machine. Again, nothing is showing up that is
suspicious.
Thanks for your help.
and TCPView and do not see anything our of the ordinary. In addition, I have
a logon script that tracks logons on our network and places them in a access
database on a remote machine. Again, nothing is showing up that is
suspicious.
Thanks for your help.
A
Ace Fekay [MVP]
In
Good to hear. At least you now know what to look for. Keep in mind if FTP
access and it's an anonymous connection, it may no show up looking at
logons.
Ace
John said:Looks like everything is ok for now. I have been running Process
Explorer and TCPView and do not see anything our of the ordinary. In
addition, I have a logon script that tracks logons on our network and
places them in a access database on a remote machine. Again, nothing
is showing up that is suspicious.
Good to hear. At least you now know what to look for. Keep in mind if FTP
access and it's an anonymous connection, it may no show up looking at
logons.
Ace