Domain Admin Account Lockout

[Tomi]

Hi,

I wonder if someone can help me.
For some reason, our domain administrator account seems
to lockout.
We have 3 windows 2000 domain controllers, 2 on one site
and 1 on another site. They are all part of the same
domain.
I get the following errors in the domain controller logs:
System (SAM) 12294, Directory Service (Replication) 1083,
Security 644, 675, 677.
I am currently auditing these values: Audit Account logon
(Failure), Audit account management (Success), Audit
Process Tracking (Failure).

I have reset the domain admin password; I have renamed
the domain admin account; I have moved the domain admin
account to a different OU. Still the account seems to be
locking itself out.

I have searched the web high and low, but still not
solution.
Has anyone got any other ideas?

Thank you in advance.

 

[Guest]

Disable Account Lockout!

 

[Guest]

Hackers????

 

[Jonathan]

One posibility: Are you running any scripts through Task Scheduler under the
domain admin account? if so are they running or failing, you might have
entered the password incorrectly and if you have not set the account to be
exempt from being locked out the repeated failure of these scripts can lock
the accounts out on a daily basis.

You could consider running these scripts under a seperate account.

Jonathan.

 

[tomi]

Hi jonathan,

No we are not running any scripts.
It is a rather strange situation. All accounts on our
domain have been set to lockout after a certain number
of 'invalid'password attempts.

As soon as the Admin account is unlocked, within 25
seconds, it's had a bad password count.

I have been in over a weekend when all our machines have
been switched of, and it still seems to lock itself out.

 

[Tomi]

I do not think it's a hacker.
We cannot disable account lockout, due to hackers. I have
even renamed the admin account yet the problem still
happens.

 

[Pegasus \(MVP\)]

Hi,

I wonder if someone can help me.
For some reason, our domain administrator account seems
to lockout.
We have 3 windows 2000 domain controllers, 2 on one site
and 1 on another site. They are all part of the same
domain.
I get the following errors in the domain controller logs:
System (SAM) 12294, Directory Service (Replication) 1083,
Security 644, 675, 677.
I am currently auditing these values: Audit Account logon
(Failure), Audit account management (Success), Audit
Process Tracking (Failure).

I have reset the domain admin password; I have renamed
the domain admin account; I have moved the domain admin
account to a different OU. Still the account seems to be
locking itself out.

I have searched the web high and low, but still not
solution.
Has anyone got any other ideas?

Thank you in advance.

Create a secondary admin account (which you should have
anyway!) and give it some obscure name such as A$min954xx.
This will have two effects:

- No one can guess it (in case you have a prankster), and
- It won't be affected by any scripts or tasks that the existing
account might run (even though you say there aren't any).

You should also do this:

- Scan your PC with an external virus scanner,
e.g. on www.antivirus.com ("free online scan").
- Very carefully examine every startup task as shown by
msconfig.exe (available here:
http://www.svrops.com/svrops/dwnldoth.htm)

 

[Guest]

Check your Services and make sure there are none running
that require that Administrator's user name and password.
We have a situation here at work where 1 service uses our
domain admin login info and when we change the password
and forget to change it in the service we get major logon
problems overnight (the account tries to login every
second for 1 hour!) as well as the account getting locked
out.

 

[Matt Hickman]

Hi jonathan,

No we are not running any scripts.
It is a rather strange situation. All accounts on our
domain have been set to lockout after a certain number
of 'invalid'password attempts.

A couple of possibilities:

1. someone logged on as the domain admin (in a terminal session? a web
site?) somewhere and left the session open. The admin password has since
been changed. The session still is using the old password.

2. a service is running under the domain admin credentials somewhere,
the password has changed and the service is set to restart on failure --
and it alsways fails because of a bad password.

 

[Tomi]

Hi,

That is exactly what seem to be happening.
I have checked all the services on all Domain and Member
servers. None of the services are using the Domain Admin
Account. Unless a service on one of our desktops is using
the admin account.

I do anoother check over the weekend.

Thanks for your reply.

 

[Tomi]

HI,

Thanks for your reply.

We do have a secondary account and I have checked. As far
as i know, we do not have any secondary accounts.

I shall try the MSconfig tool to see if that helps.

 

[Matt Hickman]

Hi,

That is exactly what seem to be happening.
I have checked all the services on all Domain and Member
servers. None of the services are using the Domain Admin
Account. Unless a service on one of our desktops is using
the admin account.

I have also seen this behavior when someone maps a drive
using a different user name -- (the admin
ID being locked out, in this case) and the drive mapping
is persistant.

The OS will try to reconnect with those credentials (which it has
stored somewhere) and if the password changes, it still tries
to use the password it has cached. And lockouts ensue.