Administrator and Guest Accounts locked out

Posted on 2009-02-10
Medium Priority
Last Modified: 2012-06-21
I use software like GFI Event Log Monitor, and ScriptLogic Active Administrator to monitor my AD environment.  I keep getting alerts showing that the domain admin account and the guest account have been locked out by a my exchange server.  I have looked at the exchange server thinking there was a service running with an old password, but everything is set to local system.  How can I tell what process is locking out the guest and admin accounts?  The only thing I see in event logs is that it was locked out by the machine.

Question by:COSMTARFCU
LVL 65

Expert Comment

ID: 23600401
The original administrator account cannot get locked out. That is why it is attacked. Therefore I would be looking to see if the Administrator account has been renamed and the account you think is Administrator is in fact not THE administrator account.


Author Comment

ID: 23600474
The admin and guest accounts were renamed by GPO 3 years ago to deter that kind of attack.  So, the account saying it is locked out is the renamed Admin/Guest account.
The MS lockout tool only tells me that the account is indeed locked out, but doesn't give any more information on what is causing it.  
I'm getting even ID: 644
User account named X (account ID domain\X) has been locked out by User DC from domain (machine named Exchange).  And that is the extent of what I am seeing.
LVL 65

Expert Comment

ID: 23600853
Renaming an account will slow down an attacker by around 30 seconds (the time it takes to realise the account has been renamed and to change tactic).
If you have Exchange exposed to the internet and authenticated relaying enabled then that will quickly lock out an account called administrator, as someone attempts to brute force the account to use it for relaying spam.
Anything else exposed to the internet would cause the same problem.

LVL 47

Accepted Solution

Donald Stewart earned 1500 total points
ID: 23619548
Have you gone over the trouble shooting here???

Troubleshooting Account Lockout

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question