Re: strange account in Win2k

[Kevin <kevin () ktstone com>]

I have seen this before as well.  I know that this sounds strange but could you
detect a change in hair color of the icon?  Grey hair representsan account that
has been modified but replication has not yet been completed.

A SID of 1008 at the end usually represents an account that us user defined.  The
group membership of the account is interesting.  The "Network" group is a System
related group that is self generated like the everyone group as well as the
interactive group.

I might be a little in left field but a sid ending in 1008 is the 7th account you
created.  You might want to run user2sid/sid2user to determine which acount it
was.

my 2 cents.

kevin


Dan Cuthbert wrote:

> Is this machine part of a Domain? if so that is normally the domain acc
>
> * Mark Fagan (Mark.Fagan () esat com) Tapped away:
> > While setting additional privileges on a Win2k webserver  I noticed that
> > certain privileges (logon as batch job, act as part of o/s, logon locally
> > and network) were applied to a very strange account -
> > *S-1-5-21-527237240-162531612-725345543-1008 which is not seen as a user
> > account. Any ideas folks ?
> >
> >               Mark Fagan
> >               TDA
> >               Esat Business
> >               1 Grand Canal Quay
> >               Dublin 2, Ireland.
> >               E mark.fagan () esat com
> >               www.esatbusiness.com
> >
> >
> >
> >
> >
> > ************************************************************************
> > This email and any files transmitted with it are confidential and intended
> > solely for the use of the individual or entity to whom they are addressed.
> > If you have received this email in error please notify the system manager.
> >
> > http://www.esatbusiness.com
> >
> > Subscribe to the Esat Business Online Magazine:
> > http://www.esatbusiness.com/news/subscribe.asp
> >
> > Subscribe to REALISE - the online magazine from BT Ignite:
> > http://www.btignite.com/realise
> >
> > ************************************************************************
> >
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
> Dan Cuthbert
> Network Security Consultant
> IdSec
> Key fingerprint = 9BFB 60F1 1B46 F9F0 4E2C  84A6 8D04 E771 54A6 1116
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

--
v/r

Kevin Steiner
MCT, MCSE, MCSA, MCDBA

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.8

mQENAzzM1coAtAEIAMqRBVu8bA/eEEcqGyFQ0pwuc22wvV5cpeE5LVcgjwXabdV1
A3pVzEAJsuGTrq77VcQTwusmCcZPErQXx0IQRyIrWRm0oukJsN7ZR3k5uv58F26G
8JUW2TYzBGmpb0EzR/LphNqG71958ZEvWaxS6Ks1FCyopU51MmF7daDJ89pXrCwY
lXp2pojKFP+aqYZ+abGRXNyNrRhfsmmIo+Vl5jZ/5INPuWThI1J1wj8eyQiVeXAc
V9ZuTKxWGPnRkWiuwLl3lEkQtDqcYcGM+FOgxfhMHb97jYF5kbFTmpLs4BRroqNp
i6B4dMRZgGx1d/0jDpmQ0zkHR3akTv4W7qK4ogUABRG0JEtldmluIFQuIFN0ZWlu
ZXIgPGtldmluQGt0c3RvbmUuY29tPokBFQMFEDzM1cpO/hbuoriiBQEBXn8H/iGw
RBEq/tCJdm3BPq/Gf8vA3872QM3c9ri90NgP9Ixh//Mxp8F+57nsjp/2fcOQs3xl
g9gwGENc4Q8iDJgnMF3vfyeI/VL/XZfHJqEfDAASU3SLJca4qC0NISMF4B7L8OrQ
d86oGjUczBcofZQJEUhfvc3ztbNoPm4+xZKWDgtIrpiqdYGTMd5Vr3P0ImKQnpSm
JVr8r3Cb5YZteRRsDNuTlGuOPIqIKyc10TH5r0g50j953oZbIlA2EtTOrLIqccHH
r/kZrO9Y6Rl6lCLLW36QkUXAJWJGFIlb6n5fHUboUFdTPx+/S/BfV1LIQdanmn2v
8hlIbwRF7gqIQQDIFKY=
=DD3g
-----END PGP PUBLIC KEY BLOCK-----




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com