none
Reset password by SYSTEM?

    Question

  • Hi Guys,

    Our customer has security issue now, some users have been reset password by SYSTEM account like below:

    ---------------------

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          7/23/2013 10:02:48 PM
    Event ID:      4724
    Task Category: User Account Management
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      DC-01.ABC
    Description:
    An attempt was made to reset an account's password.

    Subject:
    Security ID: SYSTEM
    Account Name: DC-01$
    Account Domain: ABC
    Logon ID: 0x3e7

    Target Account:
    Security ID: ABC\accountname
    Account Name: accountname
    Account Domain: ABC

     --------------------------------------

    This log is from Domain Controller (DC-01)

    It repeat two days, about ten accounts for each day.

    I try to troubleshoot this issue but I don't know why or who did it. 

    I scan for virus but not found any thing

    Any idea?

    Thank you all.


    Wednesday, July 24, 2013 2:55 AM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    Do you have FIM installed? If this is the case, the issue can be related to the password reset feature.

    http://technet.microsoft.com/en-us/library/ee534892(WS.10).aspx

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Thursday, July 25, 2013 3:18 AM
  • No, I don't have FIM . Do you have any other suggestion?

    It has been not happened for two days ago, but today it come again. 

    Users claim alot because their password have been changed without notice :(

    Pls help me!!!

    P/S: Can you show me the way to check if FIM installed in this organization? Like Show the port it connect to AD server or something else. Thank you

    • Edited by NgocNP Saturday, July 27, 2013 2:55 AM edit
    Saturday, July 27, 2013 2:45 AM