If you don't have the auditing enabled now, you are probably not going to catch the change. Hmm - I'm not even sure you can audit the local security accounts database - I suspect not.
The other alternative would be to look at logon/logoff events. Some account must have been logged on (interactively, via RDP, across the network, or as a service/batch job) in order to make the change. Cheers Ken From: Clubber Lang [mailto:[EMAIL PROTECTED] Sent: Wednesday, 29 October 2008 1:14 PM To: NT System Admin Issues Subject: Re: Unknown account created and added to local admins group By looking at the security log in the event viewer of the workstation. So if I haven't set up object access auditing already, it's too late to gather any more data for this event. Is that about right? On Tue, Oct 28, 2008 at 6:02 PM, Ken Schaefer <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: How are you finding out this information at the moment? As best I can tell, you can use object access auditing to get this information - but if you have that on already... Cheers Ken From: Clubber Lang [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Wednesday, 29 October 2008 10:14 AM To: NT System Admin Issues Subject: Unknown account created and added to local admins group An account has been created and added to the local Administrators group on an XP workstation that's a member of a domain. The name of the account is a long string of random small and capital letters like this: wiwr7eyieUEIRU4EYSRI I see in the Security log when the account was added, then a password added, then added to the local Adminsitrators group, and it all occurred within 1 minute. But is there a way to tell if another local or domain account was used to do the adding, and if so which one? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~