In W2K3 Server, if I have a domain/or domain controler lock out policy, does it affect the Domain Administrator account (ie can the administrator account be locked out)?

I see a great deal of failed login attempts against "Administrator" in my AD Security log but I don’t see "Administrator" ever being locked out. (I don’t think anyone is attempting consol login.) Maybe a person is logged into there local PC as local administrator and trying to connect to the domain. Any thoughts

By default this account will not be locked out although there is an option
to allow it to do so. If it were possible to lock this account by default
you could easily imagine a scenario where the only admin account in the
domain was locked and your forest would be stuffed.

You can usually get the IP address of the PC where the logon attempts are
coming from from the security logs, if you're not sure how to do this post
back the hex values and I'll see if I can convert them to an IP.

"AdminKen" <(E-Mail Removed)> wrote in message
news:E98E3686-9EC6-4248-B78D-(E-Mail Removed)...
> In W2K3 Server, if I have a domain/or domain controler lock out policy,
does it affect the Domain Administrator account (ie can the administrator
account be locked out)?
>
> I see a great deal of failed login attempts against "Administrator" in my
AD Security log but I don't see "Administrator" ever being locked out. (I
don't think anyone is attempting consol login.) Maybe a person is logged
into there local PC as local administrator and trying to connect to the
domain. Any thoughts?
>

I see a lot of these from various user names from the Security log on the IIS server. Ironman is the name of our IIS server (not a DC). Is this a failed IIS login or something else

Event ID 68
The logon to account: tdole
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_
from workstation: IRONMA
failed. The error code was: 3221225572

Hi

Refer to

273499 Description of Security Event 681
http://support.microsoft.com/?id=273499

This is probably just a user making a typo when they attempt to authenticate
to the IIS server (assuming you require them to authenticate). If you're
seeing a lot of these per second, the issue is likely to be process driven
and probably warrants further investigation.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (E-Mail Removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"AdminKen" <(E-Mail Removed)> wrote in message
news:F10CC1B0-3265-44FF-9283-(E-Mail Removed)...
>I see a lot of these from various user names from the Security log on the
>IIS server. Ironman is the name of our IIS server (not a DC). Is this a
>failed IIS login or something else?
>
> Event ID 681
> The logon to account: tdolez
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: IRONMAN
> failed. The error code was: 3221225572

Hi Mark, say hello to all the lads in the domains team from me!

"Mark Renoden [MSFT]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi
>
> Refer to
>
> 273499 Description of Security Event 681
> http://support.microsoft.com/?id=273499
>
> This is probably just a user making a typo when they attempt to
authenticate
> to the IIS server (assuming you require them to authenticate). If you're
> seeing a lot of these per second, the issue is likely to be process driven
> and probably warrants further investigation.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: (E-Mail Removed)
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "AdminKen" <(E-Mail Removed)> wrote in message
> news:F10CC1B0-3265-44FF-9283-(E-Mail Removed)...
> >I see a lot of these from various user names from the Security log on the
> >IIS server. Ironman is the name of our IIS server (not a DC). Is this a
> >failed IIS login or something else?
> >
> > Event ID 681
> > The logon to account: tdolez
> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > from workstation: IRONMAN
> > failed. The error code was: 3221225572
>
>