Admin Account locked out every hour.

We changed the administrator account's password and since then we have been
seeing it locked out every hour. I have the lockout tools from microsoft.
The lockout originates from the domain controller DC1. Every hour I get this
error in the event log of DC1.


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 2/17/2006
Time: 5:00:14 PM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Pre-authentication failed:
User Name: Administrator
User ID: companyname\Administrator
Service Name: krbtgt/companyname
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1

I have triple checked the services and all processes running on the server.
None seem to using the Administrator account. Eventcomb shows the following
errors every hour:

675,AUDIT FAILURE,Security,Mon Feb 17 17:00:12 2006,NT
AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator
User ID: %{S-1-5-21-1118139714-1942908946-495535119-5467} Service Name:
krbtgt/companyname Pre-Authentication Type: 0x2 Failure Code: 0x18
Client Address: 127.0.0.1


I turned on Netlogon logging which logs the following every hour:

02/17 17:00:52 [LOGON] companyname: SamLogon: Network logon of
companyname\administrator from DC1 Entered
02/17 17:00:52 [LOGON] companyname: SamLogon: Network logon of
companyname\administrator from DC1 Returns 0xC0000234

Kerberos logs the following at around the time:


Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 2/17/2006
Time: 5:00:16 PM
User: N/A
Computer: DC1
Description:
A Kerberos Error Message was received:
on logon session companyname.COM\dc1$
Client Time:
Server Time: 1:3:42.0000 2/20/2006 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: companyname
Server Name: krbtgt/companyname
Target Name: krbtgt/companyname@companyname
Error Text:
File: e
Line: 6bc
Error Data is in record data.

I find it interesting that the account lockout events above occur every hour
all day and that the source address is 127.0.0.1, which means that the source
is itself (domain controller, DC1). I have checked schedule jobs in the
controll panel and through the AT command as well. Nothing is schedule via
these.

Thanks -LRG
.

Relevant Pages

  • Re: Lost Administrator password
    ... the above logs are related to user logons and the ... associated logging being turned on. ... Administrator was blank and the password reset as well (not sure if the ... Domain Password & Lockout Policies ...
    (microsoft.public.windows.server.sbs)
  • Re: Admin Account locked out every hour.
    ... The lockout originates from the domain controller DC1. ... I have checked schedule jobs in the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Thousands of logon failures in the Security Log
    ... 'Administrator' alone. ... I have set my account lockout thresholds very low (as has been ... a security log reporting thousands of "Unknown user name or bad ... Some routers/firewalls are able to open ports only ...
    (microsoft.public.windows.server.sbs)
  • Re: Thousands of logon failures in the Security Log
    ... 2000 attempts on 'Administrator' alone. ... I have set my account lockout thresholds very low (as has been ... a security log reporting thousands of "Unknown user name or bad ... are able to open ports only for specific hours of operation. ...
    (microsoft.public.windows.server.sbs)
  • Question regarding Group Policy
    ... I am an administrator of a small company. ... I like to setup a security policy ... lockout for 10 minutes. ...
    (microsoft.public.win2000.group_policy)
Loading