• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 510
  • Last Modified:

Our domain admin account is continually being locked out

We run a Windows 2000 AD domain.
We have a domain admin account. Some sevices use this domain admin account details for authentication.
Our domain admin account is continually being locked. This occurs after a number of incorrect passwords have been entered when trying to logon or authenticate.
How can I determine from which PC these incorrect logon/authentication attempts are being made?
1 Solution
Hi wanneroo,

check your event logs on the server and see if there are any details

you may walso want to look at auditing via group policy although i dont know if this will narrow down the machine - it may just list the user

Do you have a service that is attempting to logon under the admin account but is using the wrong password? And as stated above check your security log, it should provide you with the IP of the offending machine.
Steve KnightIT ConsultancyCommented:
Classic cause of this is if you haven't already I'd turn off the displaying of the last login user in the login box then if you login somewhere with the admin user the name doesn't stay behind while the user blindly types in their normal password and locks it out...

And to stop it being locked out for now.... just rename it (the username, not fullname).  Anything that relies on it such as services etc. should be OK as they will use the SID not the name but a user trying to use it or an machine with that left in the login box.

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

wannerooAuthor Commented:
Thanks for all those suggestions.
We did rename the account but it is still being locked out.
I am pretty sure it is a service that is attempting to connect using this accounts credentials.
The event viewer doesn't give the name of the PC trying to authenticate.
Any other suggestions would be most appreciated.
Are you auditing for failed logon attempts?  The event log should show you the IP address of the box that is trying to login.
Keith AlabasterEnterprise ArchitectCommented:
Another cause of this scenario can be caused from terminal services. We tracked it back to an individual that terminated sessions by simply closing the TS window rather than logging out first. If you use TS, (I know its a pain) but check through your TS Servers and see if you have any connections still active that have not been closed down correctly.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now