none
Can account SUPPORT_388945a0 be deleted from domain controller?

    Question

  • Hi Guys,

    I see that there have an account "SUPPORT_388945a0" has been created on domain controller automatically. Can we delete it safety?

     

    Thanks,

    OCS User

    Wednesday, July 06, 2011 11:55 AM

Answers

  • Hi.
    FYI: The Support_388945a0 account enables Help and Support Service
    interoperability with signed scripts. This account is primarily used to
    control access to signed scripts that are accessible from within Help and
    Support Services. Administrators can use this account to delegate the
    ability for an ordinary user, who does not have administrative access over a
    computer, to run signed scripts from links embedded within Help and Support
    Services. These scripts can be programmed to use the Support_388945a0
    account credentials instead of the user’s credentials to perform specific
    administrative operations on the local computer that otherwise would not be
    supported by the ordinary user’s account. When the delegated user clicks on
    a link in Help and Support Services, the script executes under the security
    context of the Support_388945a0 account. This account has limited access to
    the computer and is disabled by default.
     
    Read more at:
    http://technet.microsoft.com/en-us/library/cc779144(WS.10).aspx
     
    ----------------------------------------------------------
     
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
     
    "OCS2007R2" wrote in message news:b8621da7-1361-4a1a-a42b-2425414bfa71...
     
    Hi Guys,
     
    I see that there have an account "SUPPORT_388945a0" has been created on
    domain controller automatically. Can we delete it safety?
     
     
    Thanks,
     
    OCS User
     
     

    Enfo Zipper Christoffer Andersson – Principal Advisor
    Wednesday, July 06, 2011 10:10 PM
  • Actually that statement is incorrect. AD (or more specific the DSA/DC) can request that a set of default accounts and groups are to be created, this is for example used when you introduce a DC with a new NT version in a domain (This is independent on DFL/FFL) their is different “default” accounts and groups defined for example Windows 2000 and Windows Server 2008 R2.

    The introduced DSA with a new NT version calls the operational attribute runSamUpgradeTasks, the conditions for this operation and the accounts and groups will create in the domain are outlined here:
    http://msdn.microsoft.com/en-us/library/dd240061(v=prot.13).aspx
     
    ----------------------------------------------------------

    Enfo Zipper
    Christoffer Andersson – Principal Advisor

    "Awinish" wrote in message news:f873aab8-5b07-42b8-90b8-7392b5cbcebf...

    This can't be automatically, as there is no way AD can create account until its been automated using script or some other tools. I have seen few groups created automatically during application installation,would suggest don't delete it immediately, might create an issue, if used for authentication as an service. Disable it & then check the impact to proceed further.

     

    Regards


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.



    Enfo Zipper Christoffer Andersson – Principal Advisor
    • Marked as answer by OCS2007R2 Wednesday, July 13, 2011 2:33 AM
    Wednesday, July 06, 2011 10:17 PM

All replies

  • AD doesn't create such an account for its purposes.  If you are unsure if it is needed, I would first disable it and then wait sometime prior to deleting it.  Does it have any details within the attributes of the account itself to help you determine where it was originally generated?

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, July 06, 2011 12:02 PM
    Moderator
  • This can't be automatically, as there is no way AD can create account until its been automated using script or some other tools. I have seen few groups created automatically during application installation,would suggest don't delete it immediately, might create an issue, if used for authentication as an service. Disable it & then check the impact to proceed further.

     

    Regards


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Wednesday, July 06, 2011 12:18 PM
    Moderator
  • Hi.
    FYI: The Support_388945a0 account enables Help and Support Service
    interoperability with signed scripts. This account is primarily used to
    control access to signed scripts that are accessible from within Help and
    Support Services. Administrators can use this account to delegate the
    ability for an ordinary user, who does not have administrative access over a
    computer, to run signed scripts from links embedded within Help and Support
    Services. These scripts can be programmed to use the Support_388945a0
    account credentials instead of the user’s credentials to perform specific
    administrative operations on the local computer that otherwise would not be
    supported by the ordinary user’s account. When the delegated user clicks on
    a link in Help and Support Services, the script executes under the security
    context of the Support_388945a0 account. This account has limited access to
    the computer and is disabled by default.
     
    Read more at:
    http://technet.microsoft.com/en-us/library/cc779144(WS.10).aspx
     
    ----------------------------------------------------------
     
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
     
    "OCS2007R2" wrote in message news:b8621da7-1361-4a1a-a42b-2425414bfa71...
     
    Hi Guys,
     
    I see that there have an account "SUPPORT_388945a0" has been created on
    domain controller automatically. Can we delete it safety?
     
     
    Thanks,
     
    OCS User
     
     

    Enfo Zipper Christoffer Andersson – Principal Advisor
    Wednesday, July 06, 2011 10:10 PM
  • Actually that statement is incorrect. AD (or more specific the DSA/DC) can request that a set of default accounts and groups are to be created, this is for example used when you introduce a DC with a new NT version in a domain (This is independent on DFL/FFL) their is different “default” accounts and groups defined for example Windows 2000 and Windows Server 2008 R2.

    The introduced DSA with a new NT version calls the operational attribute runSamUpgradeTasks, the conditions for this operation and the accounts and groups will create in the domain are outlined here:
    http://msdn.microsoft.com/en-us/library/dd240061(v=prot.13).aspx
     
    ----------------------------------------------------------

    Enfo Zipper
    Christoffer Andersson – Principal Advisor

    "Awinish" wrote in message news:f873aab8-5b07-42b8-90b8-7392b5cbcebf...

    This can't be automatically, as there is no way AD can create account until its been automated using script or some other tools. I have seen few groups created automatically during application installation,would suggest don't delete it immediately, might create an issue, if used for authentication as an service. Disable it & then check the impact to proceed further.

     

    Regards


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.



    Enfo Zipper Christoffer Andersson – Principal Advisor
    • Marked as answer by OCS2007R2 Wednesday, July 13, 2011 2:33 AM
    Wednesday, July 06, 2011 10:17 PM
  • FWIW, I'm seeing type 10 logon attempts (RWW in my case)  from Bejing on this username.
    Sunday, April 01, 2012 1:58 AM
  • I'm with John Carter - I'm seeing RDP connections coming from somewhere in Asia using the Support_399845a0 user account.  I opened Task Manager, selected "Processes from all users", and saw frdpb.exe.  I have the suspicion that we're dealing with a Trojan horse somewhere on the server.

    I've deleted the account, but it appears a few days later.  I'm about to run an Anti-Malware program - but does anyone know of an existing trojan?

    Wednesday, May 23, 2012 12:27 AM
  • This is a service account, I agree with others that have said when you come across unknown accounts simply disable them wait and see if it causes any issues and then delete them. I would also recommend doing your research on these unknown accounts. Make sure you use least privilege type of access approach.

    If you have any AD & GPO questions let me know.

     


    Mark D. Albin IT Master Services www.itmasterservice.com (775) 229-4254

    Thursday, January 03, 2013 1:12 PM
  • John, There are hackers from China using that account, check your "Remote Desktop Users" and "Administrators" users group. If the Account SUPPORT_388945a0 or Guest are in there, then your system is compromised. If you delete/disable the accounts and they reappear then there is a bat file that is recreating them..
    • Edited by yeddy Tuesday, February 19, 2013 3:45 AM
    Tuesday, February 19, 2013 3:41 AM
  • Off course you can delete.. if not used for administrator purposes that is..
    Besides that it can be used as a backdoor (smart people only)

    go start, click run, type: cmd

    type: net users SUPPORT_388945a0 /delete

    done..

    Wednesday, January 29, 2014 11:38 AM