Have I been hacked?! (User already logged in)

I am not sure if you mean that an account was in use that had admin status or that the account that had the username Administrator [in full] was in use.

If the account that had the username Administrator [in full] was in use then you have been infiltrated because that account is, by default, disabled and no third-party should be able to enable it if you have UAC ["User account control"] set up normally.

Your immediate action should be to disable it
Administrator account - Enable or Disable - TenForumsTutorials

Then, whatever the identity of the user account concerned, check your UAC setting
Change User Account Control level - TenForumsTutorials
Note that if the account you are routinely logged in to has admin status then you need to set UAC to its highest setting because malware can, it is thought, find ways to sneek through otherwise.

Next, whatever the identity of the user account concerned, you will then have to run a full Windows defender scan to try to remove whatever has been put on by the hacker.
- Of course that hacker might have just been copying off data but is likely to have at least tried to put something on to help get back in later on.
- That hacker might also have been trying to encrypt your own files, a "ransomware" attack.
Manually Scan Files, Folders, and Drives with Windows Defender Antivirus - TenForumsTutorials
Windows Defender Offline Scan - TenForumsTutorials

You can search for additional guidance in AntiVirus, Firewalls and System Security - TenForums and can post there if you further assistance.

Denis

Jamie,

You need to check with one of the IT support staff managing the domain but the username "Administrator" is a reserved name and I cannot imagine why they might have deliberately assigned that name to anything else.

However, if you are the "IT support staff" then what I said in my first post applies but you'll have to do it for the computers and for the server. I do not know anything about doing this for the server.

Windows server 2000 has been out of support for a decade.
- Malware writers are bound to be able to get through it because they've had a decade to try working out how to do it safe in the knowledge that no vulnerabilities they discover are ever going to get fixed.
- An out-of-date OS is the most common means of subverting the security of a computer or, in this case, your whole network. Some people say that 90% of all malware attacks are against perceived vulnerabilities of an OS {others say 99% but it does not make much difference what the precise figure is because they are probably all made up on the spot anyway}
- Personally, I'd suggest turning the server off while any computer is connected to the internet until you have replaced it with a modern server OS that is still supported.

Denis

Understood. The immediate actions are
1 Create a password-protected local admin account on each computer so that you have an account to fall back on if Jamie gets corrupted.
2 Removing that common built-in domain admin from every computer's 'Other users' lists
3 The immediate actions given in my first post - disable every Built-In admin, check UAC, malware scanning & removal
3 Ditch the server OS

Denis

Jamie, Our last couple of posts have crossed over each other during editing - I corrected & added to my posts after you had responded but before I could see that you had done so. Sorry. Denis