Forum Discussion

Orang's avatar
Orang
Copper Contributor
Oct 17, 2022

ActiveDirectory – Service Accounts with mysterious behavior

A strange behavior is occurring on our network. There are around 30 service accounts that were disabled ages ago. Some were disabled for 10-15 years ago.   Somehow, about a week or so ago, w...
Active Directory
Dave Patrick's avatar
Dave Patrick
MVP
Oct 17, 2022

Simplest / safest solution may be to delete the accounts if no longer needed.

 

 

  • Orang's avatar
    Orang
    Copper Contributor
    Oct 17, 2022

    Dave Patrick 

    Hi Dave

     

    thank you for that - however we have a lot of account that have the same behavior - our concern is, what if someone has got access to our network (attack or like)? how can we investigate it?

     

    we have tried the following:

    - diabled them - still same behavior

    - change password with a password generator 128 bit. this was done like 10 days ago - still we se new lastLogonTimestamp = 10.16.2022 13:36:21

     
     
     

     

    • Dave Patrick's avatar
      Dave Patrick
      MVP
      Oct 17, 2022

      - diabled them - still same behavior

       

      Doesn't seem possible. So the account gets reenabled? This does sounds like some sort of malware at work. May need to consult one of the AV vendors for assistance.

       

       

      • Orang's avatar
        Orang
        Copper Contributor
        Oct 17, 2022
        any tips on how to dig further is realy apresiated 🙂