Re: Administrator Account Locking Out

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I have found two packages that are causing problems. One is a service
appliance, that was easy to find, the other is ASP.NET which was not so easy
to find.

Still getting lockouts though... so something else is causing it.

"Ken Montgomery" wrote:

I may have found a clue... any suggestions with this line from one of the
security logs?

675,AUDIT FAILURE,Security,Thu May 08 10:00:18 2008,NT
AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator
User ID: %{S-1-5-21-1482476501-412668190-725345543-500} Service Name:
krbtgt

It seems that the Kerebos service is trying to use something associated with
the Administrator account, or possibly our RADIUS server might be using it
somehow?

"Paul Bergson [MVP-DS]" wrote:

Only way I know how and I have always been successful using it

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ken Montgomery" <KenMontgomery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2DF90550-0D5E-495E-B5F5-3BDA799F8C3B@xxxxxxxxxxxxxxxx
Paul,

I have followed KB109626 as you indicated, turned on logging for netlogon
service... I found one transitive logon with the error code: 0xC00006A,
User
logon with misspelled or bad password for the administrator account but am
having trouble finding the source... is there some better way to find the
source?

Thanks, Ken


So I watch the Lockout


"Paul Bergson [MVP-DS]" wrote:

Here is my standard saved response, use it if there are parts you haven't
already tried.

Is the account logged into more than one machine or is it running a
service
on the same machine? A user could have mapped drives to a resource from
one
machine, on a different machine he changes his password and then the
first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is
changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the
created
text files for the user in question.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


You can also set the debug flag on NetLogon to track authentication.
"This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Ken Montgomery" <KenMontgomery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:0D2171CF-C48C-436D-AF5E-2BBC808E81CC@xxxxxxxxxxxxxxxx
Hi Everyone,

We have found a developing problem in our mixed mode environment of
Windows
2003 Servers and Windows 2000 servers. On both of my Windows 2000
servers, I
can watch using the ALTools from Microsoft, specifically the lockout
status
tool, the Administrator account count up and lock out every few
minutes.
This does not seem to affect performance of any of my system
dramatically,
but I'm concerned why it is doing this.

I have looked in both the event logs, turned on netlogon logging, etc.
but
can find no reason for it. Can someone point me in the correct
direction
for
finding a log that will show me where the source of the attempted login
is
coming from?

Then I can possibly troubleshoot the cause...

Thanks in advance,
Ken






.

Relevant Pages

  • RE: Renaming Administrator account
    ... I was going to mention passprop, as well, but it does have some issues ... account lockout; the account can still log on locally to DCs regardless. ... > If you rename the domain administrator account, ...
    (Focus-Microsoft)
  • Re: Administrator Account Locking Out
    ... says the Administrator account is locked out... ... The account lockout doesn't appear to be a service, ... Windows 2003 Servers and Windows 2000 servers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Can I rename the Administrator account?
    ... NDXhound typed: ... Your warning about not having an enabled administrator account was ... account after x failed login attempts, and, how to set the lockout ...
    (microsoft.public.windows.server.sbs)
  • Re: The server was unable to logon the Windows NT account ...
    ... same on both servers. ... account to do this, because in order for>that to work, either you would ... is by using the administrator account - but as I have said previously I ... want to get it working using a restricted user account - which is why it ...
    (microsoft.public.inetserver.iis.security)
  • Re: MS Baseline Security Analyzer
    ... Microsoft does recommend a minimum of ten as the lockout threshold ... The built in administrator account is supposed to be immune to ... every single one of our accounts, including the domain admin accounts, were locked ...
    (microsoft.public.security)