Administrator account is not locking out

[Guest]

In W2K3 Server, if I have a domain/or domain controler lock out policy, does it affect the Domain Administrator account (ie can the administrator account be locked out)?

I see a great deal of failed login attempts against "Administrator" in my AD Security log but I don’t see "Administrator" ever being locked out. (I don’t think anyone is attempting consol login.) Maybe a person is logged into there local PC as local administrator and trying to connect to the domain. Any thoughts

 

[Simon Geary]

By default this account will not be locked out although there is an option
to allow it to do so. If it were possible to lock this account by default
you could easily imagine a scenario where the only admin account in the
domain was locked and your forest would be stuffed.

You can usually get the IP address of the PC where the logon attempts are
coming from from the security logs, if you're not sure how to do this post
back the hex values and I'll see if I can convert them to an IP.

In W2K3 Server, if I have a domain/or domain controler lock out policy,

does it affect the Domain Administrator account (ie can the administrator
account be locked out)?

I see a great deal of failed login attempts against "Administrator" in my

AD Security log but I don't see "Administrator" ever being locked out. (I
don't think anyone is attempting consol login.) Maybe a person is logged
into there local PC as local administrator and trying to connect to the
domain. Any thoughts?

 

[Guest]

I see a lot of these from various user names from the Security log on the IIS server. Ironman is the name of our IIS server (not a DC). Is this a failed IIS login or something else

Event ID 68
The logon to account: tdole
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_
from workstation: IRONMA
failed. The error code was: 3221225572

 

[Mark Renoden [MSFT]]

Hi

Refer to

273499 Description of Security Event 681
http://support.microsoft.com/?id=273499

This is probably just a user making a typo when they attempt to authenticate
to the IIS server (assuming you require them to authenticate). If you're
seeing a lot of these per second, the issue is likely to be process driven
and probably warrants further investigation.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Simon Geary]

Hi Mark, say hello to all the lads in the domains team from me!

Hi

Refer to

273499 Description of Security Event 681
http://support.microsoft.com/?id=273499

This is probably just a user making a typo when they attempt to authenticate
to the IIS server (assuming you require them to authenticate). If you're
seeing a lot of these per second, the issue is likely to be process driven
and probably warrants further investigation.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

I see a lot of these from various user names from the Security log on the
IIS server. Ironman is the name of our IIS server (not a DC). Is this a
failed IIS login or something else?

Event ID 681
The logon to account: tdolez
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: IRONMAN
failed. The error code was: 3221225572