Re: Administrator Account Locking Out

I may have found a clue... any suggestions with this line from one of the
security logs?

675,AUDIT FAILURE,Security,Thu May 08 10:00:18 2008,NT
AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator
User ID: %{S-1-5-21-1482476501-412668190-725345543-500} Service Name:
krbtgt

It seems that the Kerebos service is trying to use something associated with
the Administrator account, or possibly our RADIUS server might be using it
somehow?

"Paul Bergson [MVP-DS]" wrote:

Only way I know how and I have always been successful using it

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ken Montgomery" <KenMontgomery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2DF90550-0D5E-495E-B5F5-3BDA799F8C3B@xxxxxxxxxxxxxxxx
Paul,

I have followed KB109626 as you indicated, turned on logging for netlogon
service... I found one transitive logon with the error code: 0xC00006A,
User
logon with misspelled or bad password for the administrator account but am
having trouble finding the source... is there some better way to find the
source?

Thanks, Ken


So I watch the Lockout


"Paul Bergson [MVP-DS]" wrote:

Here is my standard saved response, use it if there are parts you haven't
already tried.

Is the account logged into more than one machine or is it running a
service
on the same machine? A user could have mapped drives to a resource from
one
machine, on a different machine he changes his password and then the
first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is
changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the
created
text files for the user in question.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


You can also set the debug flag on NetLogon to track authentication.
"This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Ken Montgomery" <KenMontgomery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:0D2171CF-C48C-436D-AF5E-2BBC808E81CC@xxxxxxxxxxxxxxxx
Hi Everyone,

We have found a developing problem in our mixed mode environment of
Windows
2003 Servers and Windows 2000 servers. On both of my Windows 2000
servers, I
can watch using the ALTools from Microsoft, specifically the lockout
status
tool, the Administrator account count up and lock out every few
minutes.
This does not seem to affect performance of any of my system
dramatically,
but I'm concerned why it is doing this.

I have looked in both the event logs, turned on netlogon logging, etc.
but
can find no reason for it. Can someone point me in the correct
direction
for
finding a log that will show me where the source of the attempted login
is
coming from?

Then I can possibly troubleshoot the cause...

Thanks in advance,
Ken






.

Relevant Pages

  • Re: User Activities
    ... The only logs I mentioned were the event logs (they can be found in the ... When you refer to "the system administrator ID", ... administrator account, or the administrator account local to the machine ... "through their workstation": how did they do that, ...
    (microsoft.public.windows.server.security)
  • Re: Access and roles in DCOM technology
    ... account should definitely not be. ... The 4 servers interact via DCOM technology. ... If this user is local administrator on 4 servers everything works ... > user so the DCOM technology will work between the servers? ...
    (microsoft.public.security)
  • Re: MS Exchange Relay Authentication
    ... I've seen this on a few servers in various environments. ... The account was still named Administrator ... It seems that account passwords are being cracked. ...
    (NT-Bugtraq)
  • Re: Super Admin Account
    ... Does he usually go to servers and mess with that? ... Does he have sufficient knowledge to mess with DCs? ... Rename the Administrator account, create a new account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing Administrator Password On Server 2003 Domain Controll
    ... you should limit use of Administrator account for logging into domain ... It is in fact the Domain Administrator password I am speaking of. ... the same password will then be required on DC Two and the Member Servers ... on domain controllers there is DSRM ...
    (microsoft.public.windows.server.general)