I have in the Documents and setting folders 2 user profile written in Chinese font (i have multi Language installed). After some troubleshooting, i noticed that this Chinese written profile was the one used by the domain admin user. I can logon with the Domain/Admin user without any problems copied something on desktop and checked in the Chinese profile the file was there. I logged on with the local admin, The user profile works fine. Tested copying on the desktop and the file is there in the local/admin profile. So to recapitulate, Local admin has its normal profile folder structure. Domain admin has a Chinese font written profile folder structure. I checked my events log and noticed the following event. ========================================================================= Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5788 Date: 04/03/2003 Time: 8:18:55 AM User: N/A Computer: powervault Description: Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were 'HOST/powervault' and 'HOST/powervault'. The following error occurred: The parameter is incorrect. Data: 0000: 57 00 00 00 W... ========================================================================= I was wondering if this could have something to do with the weird profile. Is it possible that the Domain\admin user profile gets corrupted because the computer can't register properly in the AD.? I have this partition mirrored to another drive and these folders don't show up in the 2nd drive. Maybe it is just corrupted. Would it mirror corrupted data ? I assume yes. but its not. I have deleted the user profile which i could delete with local/admin. Re-logged with Domain/admin and the good profile was created. Now the only thing left to do is to monitor so make sure the profile folders don't come back as Chinese. anyway, i though i might share the weirdness with you guys. So it could help us all to understand what happened and why. Thanks for any help. Dre. -----Original Message----- From: Rob Shein [mailto:shotenat_private] Sent: February 20, 2003 11:19 AM To: 'Greg Wiedeman'; incidentsat_private Subject: RE: Weird Profile in Documents and Settings I have never seen this before, but the squares are indicators of extended characters. Do the profiles show up in the profile list, and what else can you tell us about them? How big are they, are they the same size on all machines, what is in the folders? > -----Original Message----- > From: Greg Wiedeman [mailto:gswcentralat_private] > Sent: Thursday, February 20, 2003 6:38 AM > To: incidentsat_private > Subject: Weird Profile in Documents and Settings > > > > > I have an incident where in the documents and settings in > windows 2000 I > have a profile show up under a number of systems where the > name of the > folder shows up as 3 squares. I don't know where it came from but it > appears on my workstations and my servers. I don't know what > it is. Does > anyone know anything that would make this profile???? I have > done virus > scans and trojan scans along with scumware scans but all turn > up negative. > Thanks > > -------------------------------------------------------------- > -------------- > > Do you know the base address of the Global Offset Table (GOT) > on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core > > ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 07:53:37 PST