Hello all,
Recently, I’ve run into an interesting event where two separate domain controllers in our environment each reset the password to a disabled users\admin account about 5 hours apart. I’ve looked all through the logs and was able to verify that both security log event id’s 4724 and 4738 were generated on the domain controllers in question. What’s most interesting is that it says that it’s ‘System’ and ‘Domain\domainController$’ as the active account. I’ve googled extensively, but am at a loss as to how or why this would be a thing. Now it’s possible that it could be someone living off the land, I suppose, but I’m thinking it’s something automated or called somehow. Any ideas? Anything you can think of is greatly appreciated! Thanks in advance!