Domain Admin Account locked

[Xylos]

Hi group,
I ve already posted a couple of days ago,
(now i am crossposting, to make the audience bigger)

so here is the issue :

My domain admin account is sensitive to lockout.
but it should not. by default lockout policy does not apply to admin.
the tool "passprop" indicates that "the domain admin account may not be
locked out"
What 's going on ? is a security update generating this behavior ?
The problem is that the admin account may be locked
from the outside world to make DOS attacks.
(from Terminal Services)
One solution of course is renaming the admin account,
but i prefer not, or not using admin at all.
but the best would be to enable a policy that applies
to the TS computer that disable lockouts; unfortunately
i was told one day that lockout,kerberos,password policies are domain wide
and enforced at domain level only.

But i m sure there is a way to make the admin account not
subject to lockout.
Well maybe i should call Microsoft Support.

Thank you if you have any idea.

 

[Steven L Umbach]

Are you sure it is the built in administrator account that is being locked out and
not an account renamed administrator?? On a domain controller run the psgetsid
utility from SysInternals as in "psgetsid administrator" and the last three numbers
after the hyphen must be 500 or it is not the built in administrators account. You
can use the user right assignments for deny access to this computer from the network
and deny logon locally to prevent lockouts to an account on specific computers or
groups of computers that may be the targets of these attacks. Terminal Services
requires logon locally. You might also want to see if you can better configure your
firewall. For instance try to control access to port 3389 from just specific
authorized IP address instead of any address. Another possibility is to use a VPN
connection with l2tp for access to Terminal Services because l2tp requires trusted
machine certificates to gain access to your network. Just keep in mind that l2tp will
not work through most NAT firewalls, though there is an available NAT-T upgrade that
will. -- Steve

http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml

 

[Guest]

I would want to find out why someone is trying to brute force your administrator account password.

Is there anything between your DCs and the internet? If so, are you certain ports 135-139 and 445 are blocked? If not, any hacker on the net could be hammering away on your machines

Enable netlogon logging on the PDC emulator role holder DC, and look for 6a and 234 entries (6a = bad password attempt, 234= account was locked out) to determine where the bad password attempts are coming from

The AL tools and account lockout best practices whitepaper are both good resources

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.msp
http://www.microsoft.com/downloads/...69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=e

 

[Xylos]

The Administrator account is indeed the Builtin account ! (SID ends with
500)
For the Rights assignement trick, it seems it doesn't work. I think that the
credentials are checked first, and then upon successful check, the rights
are checked
(accept / refuse local logon etc...) So the account is locked even before
the logon rights are checked. (well in fact it was one of the first things i
tried...)

Well i think i will contact Microsoft Support. This is getting really weird.