Avatar of dmc-march
dmc-march
Flag for United States of America asked on

Administrator account locked out every five minutes

Our renamed administrator account is being locked out every five minutes or so.  After doing research on this website, and following all posted instructions, nothing has solved the problem.  I've checked every server's services and all services are running using the local system account.  I've also checked all other miscellaneous services and applications and all are using their own, independent account separate from the renamed admin account.  I have auditing set to log all successes and failures, but must do so as I work in a federal government facility and we must follow DISA guidelines.  I ran the netlogon.log using the lockoutstatus.exe tool and thought I found the culprit server, but after turning the server off, the account is still being locked out.  I've done everything in the book.  If it's posted on this site, I've done it.  Any other suggestions?  Any help would greatly be appreciated.
Windows Server 2003

Avatar of undefined
Last Comment
ina_don

8/22/2022 - Mon
John Gates, CISSP, CDPSE

Have you checked for scheduled tasks running on the servers?  They may also have the old account information 8)

-D-
dmc-march

ASKER
Yes.  We've checked every server's scheduled tasks, and none are using the renamed admin account...  Thanks for the quick reply back!  :-)
John Gates, CISSP, CDPSE

On the failures what type of logon is it?  Do the logs have the system that the attempts come from?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
dmc-march

ASKER
These are the three most occurring events inside the seclog through event viewer on my AD pdc and bdc:

1.  Logon Failure:
       Reason:            Account locked out
       User Name:      bob
       Domain:      DMC
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      C-Host6013-HA
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      155.7.156.13
       Source Port:      0

2.  Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      bob
 Source Workstation:      C-Host6013-HA
 Error Code:      0xC0000234

3.  Pre-authentication failed:
       User Name:      bob
       User ID:            DMC\bob
       Service Name:      krbtgt/dmc
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      155.7.156.237

I am a netadmin of almost 500+ people, so the source network address/client address is always changing...makes it harder to specifically track down where the problem lies.  Also, none of the user's out on the floor use the renamed admin account.  This account is only for server logon and auth.  The helpdesk crew have their own administrator account they use to adminster the user's boxes...

John Gates, CISSP, CDPSE

I am sorry if I am asking redundant questions, but I am trying to get an idea of what's going on there:

What did your investigation of C-Host6013-HA show?

Does it have a backup exec remote agent or something impersonating that logon?
dmc-march

ASKER
That is quite alright. :-)
c-host6013-ha has no backup exec remote agent, or anything on that box impersonating the logon in question.  c-host6013 really doesn't do anything all that important (actually, I just don't want to give it's purpose away over the web...)But, nothing is running or is scheduled to run using the administrators logon credentials...
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
John Gates, CISSP, CDPSE

And if this machine is turned off another machine just does the same thing?
dmc-march

ASKER
Yes.  That's why it is becoming such a frustrating ordeal...
Netman66

Normally, when this occurs, you need to scan the computers listed as the source of the logon for Malware and/or virii.

There are a number of Trojans than infect computers that then attempt to connect to default shares using the admin account and dictionary attacks.

Run a variety of scans - Spybot, Adaware, Virus scan with latest DATS, CWShredder, and an online scan from another malware site.

Let us know.
Your help has saved me hundreds of hours of internet surfing.
fblack61
dmc-march

ASKER
Hi again,

Well, I ran Spybot, Adaware, Windows Defender, and CWShredder, and the computers listed as the source have all come up clean!  The only thing the scans found were just tracking cookies -- nothing alarming.  It's funny too because when I check lockoutstatus.exe for the admin account, it shows both dc's as the user's state being "Not Locked (Auto Unlocked)," but when I check ADUC, it shows the admin account as being locked out.  Even when I do a refresh on the lockoutstatus.exe, it still shows the account as not being locked, when ADUC shows it as being locked.  Any other ideas?
dmc-march

ASKER
And does anyone know what this error means:?

Pre-authentication failed:
       User Name:      bob
       User ID:            domain\bob
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      xxx.xxx.xxx.xxx
John Gates, CISSP, CDPSE

What event id number is that?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
dmc-march

ASKER
It is Event ID 675
John Gates, CISSP, CDPSE

dmc-march

ASKER
I took a look at the site, a very useful site at that!  Sad to say that what was recommended I had already looked over and checked.  The Event ID 675 still reigns!
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
JMayerSellars

Do you have a Mac in your environment with OSX 10.3 or higher?
dmc-march

ASKER
Yes, we sure do?  Why?
JMayerSellars

I have the same issue with my personal AD account with Domain Admin rights. I have traced it to a Mac with OSX Tiger that I had used my account to try and authenticate via SMB/CIFS to a Windows 2003 server file share. It for some reason has held onto my credentials in the keychain of the user and the Mac continues to try and logon with it. I have to wait until tomorrow to get my hands on the offending Mac.

I came across this post as I was searching for a fix for my issue. Thought you might have a Mac doing the same thing. If you have the Mac joined to the AD, you can search the "address leases" in DHCP on the DC for the offending IP address then cross reference the Name and see if it's a Mac. Not sure how long your leases last on machines, but I would assume if your error is happening constantly like mine, you would be able to find the offending machine before the lease expires on the IP.  

Just trying to help.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
dmc-march

ASKER
First off:  Thank you very much for your input.  You are very kind for doing so and I appreciate it.

The thing too, however, is that the MAC OSX server does not use the renamed admin account that is giving me problems, and it never has.  This server uses another renamed admin account completely different from the offending renamed admin account that is giving me the real headache.  Also, I statically distribute IP addresses, and do not use a DHCP server, so the lease expiring of IP addresses never happens over here; therefore, I cannot search the address expirations in DHCP on the DC because the IP's are statically distributed...THANKS!  (^_^)
ASKER CERTIFIED SOLUTION
JMayerSellars

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ina_don

Oooh! and I forgot, something seems funny that your logon being logged by the server seems to be an interactive one...

http://www.windowsecurity.com/articles/Logon-Types.html