wanneroo
asked on
Our domain admin account is continually being locked out
We run a Windows 2000 AD domain.
We have a domain admin account. Some sevices use this domain admin account details for authentication.
Our domain admin account is continually being locked. This occurs after a number of incorrect passwords have been entered when trying to logon or authenticate.
How can I determine from which PC these incorrect logon/authentication attempts are being made?
We have a domain admin account. Some sevices use this domain admin account details for authentication.
Our domain admin account is continually being locked. This occurs after a number of incorrect passwords have been entered when trying to logon or authenticate.
How can I determine from which PC these incorrect logon/authentication attempts are being made?
Do you have a service that is attempting to logon under the admin account but is using the wrong password? And as stated above check your security log, it should provide you with the IP of the offending machine.
Classic cause of this is if you haven't already I'd turn off the displaying of the last login user in the login box then if you login somewhere with the admin user the name doesn't stay behind while the user blindly types in their normal password and locks it out...
And to stop it being locked out for now.... just rename it (the username, not fullname). Anything that relies on it such as services etc. should be OK as they will use the SID not the name but a user trying to use it or an machine with that left in the login box.
Steve
And to stop it being locked out for now.... just rename it (the username, not fullname). Anything that relies on it such as services etc. should be OK as they will use the SID not the name but a user trying to use it or an machine with that left in the login box.
Steve
ASKER
Thanks for all those suggestions.
We did rename the account but it is still being locked out.
I am pretty sure it is a service that is attempting to connect using this accounts credentials.
The event viewer doesn't give the name of the PC trying to authenticate.
Any other suggestions would be most appreciated.
We did rename the account but it is still being locked out.
I am pretty sure it is a service that is attempting to connect using this accounts credentials.
The event viewer doesn't give the name of the PC trying to authenticate.
Any other suggestions would be most appreciated.
Are you auditing for failed logon attempts? The event log should show you the IP address of the box that is trying to login.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
check your event logs on the server and see if there are any details
you may walso want to look at auditing via group policy although i dont know if this will narrow down the machine - it may just list the user
Cheers!