Our domain admin account is continually being locked out

Posted on 2006-04-26
Last Modified: 2010-03-18
We run a Windows 2000 AD domain.
We have a domain admin account. Some sevices use this domain admin account details for authentication.
Our domain admin account is continually being locked. This occurs after a number of incorrect passwords have been entered when trying to logon or authenticate.
How can I determine from which PC these incorrect logon/authentication attempts are being made?
Question by:wanneroo
    LVL 48

    Expert Comment

    Hi wanneroo,

    check your event logs on the server and see if there are any details

    you may walso want to look at auditing via group policy although i dont know if this will narrow down the machine - it may just list the user

    LVL 12

    Expert Comment

    Do you have a service that is attempting to logon under the admin account but is using the wrong password? And as stated above check your security log, it should provide you with the IP of the offending machine.
    LVL 43

    Expert Comment

    by:Steve Knight
    Classic cause of this is if you haven't already I'd turn off the displaying of the last login user in the login box then if you login somewhere with the admin user the name doesn't stay behind while the user blindly types in their normal password and locks it out...

    And to stop it being locked out for now.... just rename it (the username, not fullname).  Anything that relies on it such as services etc. should be OK as they will use the SID not the name but a user trying to use it or an machine with that left in the login box.


    Author Comment

    Thanks for all those suggestions.
    We did rename the account but it is still being locked out.
    I am pretty sure it is a service that is attempting to connect using this accounts credentials.
    The event viewer doesn't give the name of the PC trying to authenticate.
    Any other suggestions would be most appreciated.
    LVL 12

    Expert Comment

    Are you auditing for failed logon attempts?  The event log should show you the IP address of the box that is trying to login.
    LVL 51

    Accepted Solution

    Another cause of this scenario can be caused from terminal services. We tracked it back to an individual that terminated sessions by simply closing the TS window rather than logging out first. If you use TS, (I know its a pain) but check through your TS Servers and see if you have any connections still active that have not been closed down correctly.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
    Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now