We've found le domain Administrator account - qui we do not use except in le event of a disaster recovery scenario - has a recent date in le LastLogonTimeStamp attribute. As far as Je suis aware, no-one should have used this account in le time period concerned (and plusieurs months beyond), mais maybe certains idiot has configured it to run a scheduled task.
Due to le quantity of security log events (and lack of SIEM tool for analysis), I wanted to determine qui DC had le actual lastLogon time (i.e. not le replicated attribute) for le account, mais J'ai queried chaque DC in le domain, et they chaque have a lastLogon of "none" for Administrator.
Ceci est a child domain in le forest, so c'est possible that someone has used this child domain Administrator account to run something in le parent domain.
Can anyone think of a way to determine qui DC is doing le logon autre than examining le potential 20 million events depuis 16 forest DCs around le time recorded in LastLogonTimestamp? I suppose I could target le parent domain DCs premier (as le child DCs seem pas to have done le auth).
Explanation
[Added après zeroing in on le cause après using repadmin per le below]
The original reason for this request was due to our IT Security team, who were wondering why we were apparently logging on avec le par défaut domain Administrator account on a frequent basis.
We knew that WE n'étaient pas logging it on. It turns out that there is a mechanism called "Kerberos S4u2Self" c'est quand a calling process running as Local System is doing certains privilege escalation. It does a network logon (not interactive) as Administrator on a domain controller. As c'est non-interactive, this is why il y a no lastLogon for le account on tout DC (this account had jamais been logged onto tout current domain controller).
This article explains why le thing pings votre logs et makes votre security team have kittens (the source machines are Server 2003, to make things worse). And how to track it down. https://blogs.technet.microsoft.com/askpfeplat/2014/04/13/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/
Lesson learned - seulement provide reports on lastLogon attributes to IT security teams quand it concerns Administrator logons.
