We did a sweep of recent account changes, a couple of accounts have recently been compromised and we wanted to check for anything unusual.

One account popped up showing a change made on Monday, none of the administrators have a record of or remember even looking at this particular account so I started to dig into it. The app we use to report this is ManageEngine ADAudit Plus and the information it provided was this

I have removed the user name and domain controller details for obvious reasons. The Caller User Name has also been removed for the same reasons, but it was listed as one of our Exchange servers.

From what I understand, the modified attribute is no longer used, everything I can find relating to it says it was used in Exchange 2003, we are using Exchange 2013 and this user account was created this year, when we were already using 2013 so it is not something inherited from an old Exchange environment.

Does anyone have any idea what this means? I have tried to replicate it on a test account and cannot.

I don't have any idea what you're looking at, so I'd recommend you find a ManageEngine ADAudit Plus forum and ask there.

If you're talking about account logon to domain controllers, that's not an Exchange thing, so in that case I'd recommend that you post this in the Active Directory Services Forum: http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

Hi,

According to your description, I understand that the issue is related to Active Directory side . This forum focuses on some general discussion about Exchange .

So I suggest you can follow Ed's suggestion to ask a question in AD Forum.

Thank you for your understanding.

Regards,

David