Administrator and Guest Accounts locked out

Posted on 2009-02-10
Last Modified: 2012-06-21
I use software like GFI Event Log Monitor, and ScriptLogic Active Administrator to monitor my AD environment.  I keep getting alerts showing that the domain admin account and the guest account have been locked out by a my exchange server.  I have looked at the exchange server thinking there was a service running with an old password, but everything is set to local system.  How can I tell what process is locking out the guest and admin accounts?  The only thing I see in event logs is that it was locked out by the machine.

Question by:COSMTARFCU
    LVL 14

    Expert Comment

    LVL 65

    Expert Comment

    The original administrator account cannot get locked out. That is why it is attacked. Therefore I would be looking to see if the Administrator account has been renamed and the account you think is Administrator is in fact not THE administrator account.


    Author Comment

    The admin and guest accounts were renamed by GPO 3 years ago to deter that kind of attack.  So, the account saying it is locked out is the renamed Admin/Guest account.
    The MS lockout tool only tells me that the account is indeed locked out, but doesn't give any more information on what is causing it.  
    I'm getting even ID: 644
    User account named X (account ID domain\X) has been locked out by User DC from domain (machine named Exchange).  And that is the extent of what I am seeing.
    LVL 65

    Expert Comment

    Renaming an account will slow down an attacker by around 30 seconds (the time it takes to realise the account has been renamed and to change tactic).
    If you have Exchange exposed to the internet and authenticated relaying enabled then that will quickly lock out an account called administrator, as someone attempts to brute force the account to use it for relaying spam.
    Anything else exposed to the internet would cause the same problem.

    LVL 47

    Accepted Solution

    Have you gone over the trouble shooting here???

    Troubleshooting Account Lockout

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now