Link to home
Start Free TrialLog in
Avatar of dmc-march
dmc-marchFlag for United States of America

asked on

Administrator account locked out every five minutes

Our renamed administrator account is being locked out every five minutes or so.  After doing research on this website, and following all posted instructions, nothing has solved the problem.  I've checked every server's services and all services are running using the local system account.  I've also checked all other miscellaneous services and applications and all are using their own, independent account separate from the renamed admin account.  I have auditing set to log all successes and failures, but must do so as I work in a federal government facility and we must follow DISA guidelines.  I ran the netlogon.log using the lockoutstatus.exe tool and thought I found the culprit server, but after turning the server off, the account is still being locked out.  I've done everything in the book.  If it's posted on this site, I've done it.  Any other suggestions?  Any help would greatly be appreciated.
Avatar of John Gates, CISSP, CDPSE
John Gates, CISSP, CDPSE
Flag of United States of America image

Have you checked for scheduled tasks running on the servers?  They may also have the old account information 8)

Avatar of dmc-march


Yes.  We've checked every server's scheduled tasks, and none are using the renamed admin account...  Thanks for the quick reply back!  :-)
On the failures what type of logon is it?  Do the logs have the system that the attempts come from?
These are the three most occurring events inside the seclog through event viewer on my AD pdc and bdc:

1.  Logon Failure:
       Reason:            Account locked out
       User Name:      bob
       Domain:      DMC
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      C-Host6013-HA
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:
       Source Port:      0

2.  Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      bob
 Source Workstation:      C-Host6013-HA
 Error Code:      0xC0000234

3.  Pre-authentication failed:
       User Name:      bob
       User ID:            DMC\bob
       Service Name:      krbtgt/dmc
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:

I am a netadmin of almost 500+ people, so the source network address/client address is always changing...makes it harder to specifically track down where the problem lies.  Also, none of the user's out on the floor use the renamed admin account.  This account is only for server logon and auth.  The helpdesk crew have their own administrator account they use to adminster the user's boxes...

I am sorry if I am asking redundant questions, but I am trying to get an idea of what's going on there:

What did your investigation of C-Host6013-HA show?

Does it have a backup exec remote agent or something impersonating that logon?
That is quite alright. :-)
c-host6013-ha has no backup exec remote agent, or anything on that box impersonating the logon in question.  c-host6013 really doesn't do anything all that important (actually, I just don't want to give it's purpose away over the web...)But, nothing is running or is scheduled to run using the administrators logon credentials...
And if this machine is turned off another machine just does the same thing?
Yes.  That's why it is becoming such a frustrating ordeal...
Normally, when this occurs, you need to scan the computers listed as the source of the logon for Malware and/or virii.

There are a number of Trojans than infect computers that then attempt to connect to default shares using the admin account and dictionary attacks.

Run a variety of scans - Spybot, Adaware, Virus scan with latest DATS, CWShredder, and an online scan from another malware site.

Let us know.
Hi again,

Well, I ran Spybot, Adaware, Windows Defender, and CWShredder, and the computers listed as the source have all come up clean!  The only thing the scans found were just tracking cookies -- nothing alarming.  It's funny too because when I check lockoutstatus.exe for the admin account, it shows both dc's as the user's state being "Not Locked (Auto Unlocked)," but when I check ADUC, it shows the admin account as being locked out.  Even when I do a refresh on the lockoutstatus.exe, it still shows the account as not being locked, when ADUC shows it as being locked.  Any other ideas?
And does anyone know what this error means:?

Pre-authentication failed:
       User Name:      bob
       User ID:            domain\bob
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:
What event id number is that?
It is Event ID 675
I took a look at the site, a very useful site at that!  Sad to say that what was recommended I had already looked over and checked.  The Event ID 675 still reigns!
Avatar of JMayerSellars

Do you have a Mac in your environment with OSX 10.3 or higher?
Yes, we sure do?  Why?
I have the same issue with my personal AD account with Domain Admin rights. I have traced it to a Mac with OSX Tiger that I had used my account to try and authenticate via SMB/CIFS to a Windows 2003 server file share. It for some reason has held onto my credentials in the keychain of the user and the Mac continues to try and logon with it. I have to wait until tomorrow to get my hands on the offending Mac.

I came across this post as I was searching for a fix for my issue. Thought you might have a Mac doing the same thing. If you have the Mac joined to the AD, you can search the "address leases" in DHCP on the DC for the offending IP address then cross reference the Name and see if it's a Mac. Not sure how long your leases last on machines, but I would assume if your error is happening constantly like mine, you would be able to find the offending machine before the lease expires on the IP.  

Just trying to help.
First off:  Thank you very much for your input.  You are very kind for doing so and I appreciate it.

The thing too, however, is that the MAC OSX server does not use the renamed admin account that is giving me problems, and it never has.  This server uses another renamed admin account completely different from the offending renamed admin account that is giving me the real headache.  Also, I statically distribute IP addresses, and do not use a DHCP server, so the lease expiring of IP addresses never happens over here; therefore, I cannot search the address expirations in DHCP on the DC because the IP's are statically distributed...THANKS!  (^_^)
Avatar of JMayerSellars

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Oooh! and I forgot, something seems funny that your logon being logged by the server seems to be an interactive one...