Our domain admin account is continually being locked out

We run a Windows 2000 AD domain.
We have a domain admin account. Some sevices use this domain admin account details for authentication.
Our domain admin account is continually being locked. This occurs after a number of incorrect passwords have been entered when trying to logon or authenticate.
How can I determine from which PC these incorrect logon/authentication attempts are being made?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi wanneroo,

check your event logs on the server and see if there are any details

you may walso want to look at auditing via group policy although i dont know if this will narrow down the machine - it may just list the user

Do you have a service that is attempting to logon under the admin account but is using the wrong password? And as stated above check your security log, it should provide you with the IP of the offending machine.
Steve KnightIT ConsultancyCommented:
Classic cause of this is if you haven't already I'd turn off the displaying of the last login user in the login box then if you login somewhere with the admin user the name doesn't stay behind while the user blindly types in their normal password and locks it out...

And to stop it being locked out for now.... just rename it (the username, not fullname).  Anything that relies on it such as services etc. should be OK as they will use the SID not the name but a user trying to use it or an machine with that left in the login box.

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

wannerooAuthor Commented:
Thanks for all those suggestions.
We did rename the account but it is still being locked out.
I am pretty sure it is a service that is attempting to connect using this accounts credentials.
The event viewer doesn't give the name of the PC trying to authenticate.
Any other suggestions would be most appreciated.
Are you auditing for failed logon attempts?  The event log should show you the IP address of the box that is trying to login.
Keith AlabasterEnterprise ArchitectCommented:
Another cause of this scenario can be caused from terminal services. We tracked it back to an individual that terminated sessions by simply closing the TS window rather than logging out first. If you use TS, (I know its a pain) but check through your TS Servers and see if you have any connections still active that have not been closed down correctly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.