I have a job site where one employee has seemed to changed my Administrator Password on a Win2000 machine. Does anybody know how he might have pulled it off and what I need to do the same so I can see if he does it again.

Thanks
Shoe1

Either he got your admin password somehow, or he used a hack proggie. There's several little programs that allow you to change the admin password. One is called Locksmith from Winternals and allows you to change the password to anything you want, but you need to mount the system drive from another OS session to do it. Search the workstations to see if Locksmith was installed in any of them. Another is a linux floppy disk, where you boot with your W2K cd, and press F6 to load other drivers, and put the floppy in. It changes the password to 1234.

I suggest you change the boot order to hard drive first, lock the case, password the CMOS, and set GPO's to restrict network access as tight as you can. Also set a GPO to prevent access to the CD or floppy by anyone but admins on that machine. And make sure you check to see who is watching when entering your password, and keep the server consoles locked when you are away from it.

Another thing you may consider is adding a syskey password. Only problem is that attempts to change the password can corrupt AD, so you will not be able to boot at all, and will have to restore AD from backup. Better would be to add a power on password in CMSO.

You can audit account management and filter the audit logs for changes to the admin account. This would catch him if he stole your admin password somehow, but won't work if he's using one of those hacks.

I agree with the watching your back part, corp I used to work for had great security, or so we thought. I found a week old network level admin password lying on a slip of paper in the floor... Needless to say the password was changed... again.

Thats great advise and I will put it to good use. I have to admit I don't have experience with linux and that answer is definitly a new one to me. Thanks all for replying. Always look here first for professional help when needed.
Shoe

You can also get a bick stick and beat the password out of they guy who changed it.
Or just ask him to tell it to you and then get the stick out so he never attempts to steal it again.

There are several Linux boot disks out there for download that will change any NT password on the local machine (local being the one they can get to physically and boot with the floppy)
Change the BIOS's to have an admin password, make the floppy not bootable via the bios, sure its not going to STOP anyone, but may make it not worth their while, especially if they have a chance of getting walked in on with the case open. (i think ntbootdisk.com has this disk too, the linux disk that is)