Hi Guys,
Our customer has security issue now, some users have been reset password by SYSTEM account like below:
---------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/23/2013 10:02:48 PM
Event ID: 4724
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DC-01.ABC
Description:
An attempt was made to reset an account's password.
Subject:
Security ID:
SYSTEM
Account Name:
DC-01$
Account Domain:ABC
Logon ID:
0x3e7
Target Account:
Security ID:
ABC\accountname
Account Name:
accountname
Account Domain:ABC
--------------------------------------
This log is from Domain Controller (DC-01)
It repeat two days, about ten accounts for each day.
I try to troubleshoot this issue but I don't know why or who did it.
I scan for virus but not found any thing
Any idea?
Thank you all.