|
Posted by Steven L Umbach on January 12, 2006, 10:06 pm
If you were Registered and logged in, you could reply and use other advanced thread options
does indeed have the user right for impersonate user after logon. By default
the administrators group has that user right. I would also check his account
for group membership to see if it was you expect. If you have enabled
auditing of account management and policy change you could see if his user
account has had it's group membership changed and by who and if user rights
were changed on the computer and by who. If the user is shown to have logged
on at a time when he was not there then that is a reason for concern unless
a Scheduled Task or such ran on a schedule that used his credentials but the
logon type should indicate that. Type 2 logons are direct keyboard logons or
via Remote Desktop/TS on a Windows 2000 computer while for XP/2003 computers
they could only be keyboard logon. --- Steve
>I have a user who works partime during the day. They just started.
>
> Today, I'm looking through the event log for successful logon or logoff
> and
> I see the logon name with the event 576
> Privileges: SELoadDriverPrivilege
> Privileges: SeImpersonatePrivilege
>
> When I follow the link to microsoft for explanation, I'm alarmed by the
> cautionary remarks. In short I think that this is evidence of a hack. The
> user did not login at the specified time, and certainly would not have the
> know how or the rights to assign special privileges. I am the only admin
> here. Can someone please advise me on what I'm seeing?
> Thanks
>
| 
XML site map