Forum Discussion
ActiveDirectory – Service Accounts with mysterious behavior
A strange behavior is occurring on our network.
There are around 30 service accounts that were disabled ages ago. Some were disabled for 10-15 years ago.
Somehow, about a week or so ago, we began seeing that these accounts suddenly had a newly "lastLogonTimestamp" attribute in AD
There is no log in security logs at all. Yes, deep login audit is enabled. Login auditing is enabled for deep login. Yet no logs what so ever.
Has anyone experienced such behavior?
Does anyone know how to troubleshoot?
Thank you!
12 Replies
Simplest / safest solution may be to delete the accounts if no longer needed.
Hi Dave
thank you for that - however we have a lot of account that have the same behavior - our concern is, what if someone has got access to our network (attack or like)? how can we investigate it?
we have tried the following:
- diabled them - still same behavior
- change password with a password generator 128 bit. this was done like 10 days ago - still we se new lastLogonTimestamp = 10.16.2022 13:36:21
- diabled them - still same behavior
Doesn't seem possible. So the account gets reenabled? This does sounds like some sort of malware at work. May need to consult one of the AV vendors for assistance.
