@Dave Patrick 

Hi Dave

thank you for that - however we have a lot of account that have the same behavior - our concern is, what if someone has got access to our network (attack or like)? how can we investigate it?

we have tried the following:

- diabled them - still same behavior

- change password with a password generator 128 bit. this was done like 10 days ago - still we se new lastLogonTimestamp = 10.16.2022 13:36:21

---

- diabled them - still same behavior

 

---

Doesn't seem possible. So the account gets reenabled? This does sounds like some sort of malware at work. May need to consult one of the AV vendors for assistance.

I'd reach out to the AV vendors for assistance. First step may be to identify it, then if it can be cleaned up or if restore from backup is necessary.

@Dave Patrick 

as mentioned, we are running 2 diferent AVs Cisco and Microsoft. Both have almost given up.

Nothing to see - yes the behavior is strange.

a lot of steps has been taken for the investigaion with no result, which is why I reached out to this community - just to see if other has discovered or seen such behavior.

Nope, have not seen this issue here or on Q&A forums or in the past on MSDN/TechNet forums. I'm not sure what's meant by "given up" but if you can't sort it you may need to look at restoring a known good backup.

Ok, sounds good. I guess if no one can figure it out a restore from backup may be in order.

@Dave Patrick 

Hi Dave

I totaly apreciate your comments and inputs.
just to clear it up for me - when you say backup/restore - would you please explaine why and how it would help to restore from backup?

Lets assume the worst case scenario - someone is attacking our network  - what is your thought behinde restore from backup? I hope you will explaine it further.

Thank you :)

Generally speaking when you restore an active directory domain from a backup one would restore the PDC emulator and rebuild the other ones from scratch.