F
Frank
Hi,
As a regular revision of the server I found strange messages in my Event
viewer. Maybe you can help me figure them out. Because of company policy I
had to create a regular account for a user Eva. I turned on a lot of
auditoring events. Yesterday Eva failed to access the SERVICES.EXE process
to stop and start a service.
My server is called 27MAYO. What does it mean when I see "Primary User Name:
27MAYO$.
Then I get the message:
Server Object: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain
The same thing is done for object name 27MAYO:
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
LookupIDs
AdministerServer
Then they restarted the server. And logged on but they only message that I
get from loggin on this time is that of KSecDD and it doesn't say what user
name is logged on.
Audit Policy Change:
New Policy:
Success Failure
+ + System
+ + Logon/Logoff
- - Object Access
+ + Privilege Use
- - Detailed Tracking
+ + Policy Change
+ + Account Management
+ + System
Changed By: 27MAYO$
User Name: %15 Domain Name: PERNO
Logon ID: (0X0,0X3E7)
Could anyone can explain to me how could have they done this. Thank you.
Frank
As a regular revision of the server I found strange messages in my Event
viewer. Maybe you can help me figure them out. Because of company policy I
had to create a regular account for a user Eva. I turned on a lot of
auditoring events. Yesterday Eva failed to access the SERVICES.EXE process
to stop and start a service.
My server is called 27MAYO. What does it mean when I see "Primary User Name:
27MAYO$.
Then I get the message:
Server Object: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain
The same thing is done for object name 27MAYO:
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
WritePasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateLocalGroup
GetLocalGroupMembership
ListAccounts
LookupIDs
AdministerServer
Then they restarted the server. And logged on but they only message that I
get from loggin on this time is that of KSecDD and it doesn't say what user
name is logged on.
Audit Policy Change:
New Policy:
Success Failure
+ + System
+ + Logon/Logoff
- - Object Access
+ + Privilege Use
- - Detailed Tracking
+ + Policy Change
+ + Account Management
+ + System
Changed By: 27MAYO$
User Name: %15 Domain Name: PERNO
Logon ID: (0X0,0X3E7)
Could anyone can explain to me how could have they done this. Thank you.
Frank