Domain Administrator Account Locking Out

[Blaze]

Hi

windows 2000

My domain admin account is locking out for no reason at all.

I try to log on as the domain admin and the account says its locked out.

I go into the AD and unlock the account and reset, and within 60 sec the
accounts locked out again

no-one else is trying to log in and I am not putting in the wrong password
to lock it out.. it just does it all by its-self

any ideas how to stop this

thanks

 

[Matjaz Ladava [MVP]]

Try reading
http://www.microsoft.com/technet/tr...ndowsserver2003/maintain/operate/BPACTLCK.asp
for info on account lockout troubleshooting. Basicaly you need to enable
auditing and then see when, who and why is your account locking out.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[JoS]

Take a look at some of these tools:

Account Lockout and Management Tools
http://www.microsoft.com/downloads/...familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e

JoS

 

[Kenner Costen]

Simple, someone is either trying to log onto their box locally as admin and
do not realize they are hitting the domain (look around the shop) or someone
is trying to nail your amdin account.

Try renaming it, works wonders.

 

[Phantom]

Make sure there aren't any processes trying to run using the Domain admin
account
and a incorrect password

MEM

 

[Fuse News]

Make sure there aren't any processes trying to run using the Domain admin
account
and a incorrect password

MEM

If you change an account's password while the account is still logged into
another PC (or like the previous post said, a process/service using the old
password) then you will have this effect. Make sure all services/processes
using this account use current PW and that this account is logged out of ALL
PCs when you change the PW.

 

[Marlin Munrow (the PFY)]

suggest renaming the account and enabling logging

 

[Andy Foster]

Hi

windows 2000

My domain admin account is locking out for no reason at all.

Really? In that case you're screwed, 'cos if it's doing it for no
reason at all, there is no way to stop it happening.

 

[Linda]

You have lock out after x number of failures? Someone is probalbly
running a brute force attack. Nextime you unlock it...rename the admin
account.

 

[Steve]

Perhaps but its not the only possibility !

you may have left a terminal services session open somewhere, which has not
disconnected and ended, change the TS profile settings in Active Directory
for the account and add a time for disconnecting the sessions

Or you scheduled a task with the account at some time and then have changed
the account password and the Task is still out on the domain with the
account and the old password, hence the lock out

Dump the security log from the DC and search for the failures (I take it
your auditing logon failures and successes in the default domain
policy )after importing into an excel spread sheet using the account details
or the failure using the find /find next this should point you to the
offending machine that's either being attacked, (which I doubt) or is trying
to use the account for authentication purposes.

You could also allow Terminal services manager to connect to all the servers
in your domain (you will need NetBIOS over tcpip enabled to see all of them)
and then see if you can see a session left on a server somewhere.#

failing that then rename the guest account Administrator and rename the
administrator account to something else or create a dummy admin account,
which ever it is enable auditing fully on the dummy account cripple its
access rights and then disable the account, and watch the logs for activity
If it is brute force then even if they get in the account is disabled and
crippled but you have a starting trace point to track it down


hth and makes sense
rgds
Steve

 

[Denis Cooper]

check your secutiry logs - this should give you an idea as to what is
ahppening