Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 652
  • Last Modified:

Admin Account Locking Out

I noticed last week I kept getting Event ID 1083 and 1955 replication errors

Active Directory could not update the following object with changes received from the domain controller at the following network address because Active Directory was busy processing information.

and

Active Directory encountered a write conflict when applying replicated changes to the following object.

I changed the password to the Admin Account - Changed all services that run on Admin, changed all ISS website security. I relized to day that the Admin acount is locking out. If I unlock it, it locks right back up with the following errors in the Security Log - Event ID 566, 836 and 837.

How can I figure out what is locking out the admin account?

BTW - Windows 2003, with two ADs and GCs with DNS, DHCP, and Exchange.

TIA
0
modest911
Asked:
modest911
  • 11
  • 6
  • 3
2 Solutions
 
modest911Author Commented:
Update - Now this is weird. When the admin account would lockout. I was still able to log on as admin. On top of that after serval times of unlocking the admin account, it doesnt seem to be locking out anymore (For now). Any idea's?
0
 
bluntTonyCommented:
Check your DC in the Security event log and look for the failed logon attempts. From this you should be able to determine the sourcee machine, and alos check the logon type. This will give you an idea of the type of logon which is failing. See here : http://www.windowsecurity.com/articles/Logon-Types.html.
Best practice is to not have services running under the domain adminstrator account, or any other regular account. Really you should create a service account with the necessary permissions to carry out it's task and assign this to the service. This account is then used soley for this purpose, and you won't encounter these problems when you change your regular account passwords.
You may also want to check cached credentials on machines you are logged on to as this account : Control Panel | User Accounts | Advanced | Manage Passwords - clear any entries in here.
0
 
modest911Author Commented:
There are no failed logon attempts in the event logs.

I will def explore your best practices.

I dont log on as a domain admin anywhere but on the DC's is through a MMC.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ISWSIMBXCommented:
Try downloading eventcomb from Microsoft (part of the Windows 2003 Resource Kit) and run that against the security logs for your Domain Controllers.  

When you open it, go to the Searches Menu --> Built-In Searches --> Account Lockouts

In the text box at the bottom, enter your Admin account ID and see if it pulls back any lockout events.
0
 
modest911Author Commented:
ISWSIMBX - Thanks for that tools. I did find the following account is/was getting locked out

644,AUDIT SUCCESS,Security,Tue May 05 09:37:17 2009,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: Administrator     Target Account ID: %{S-1-5-21-1202660629-1580436667-725345543-500}     Caller Machine Name: DNSPO-569CF6C20     Caller User Name: PE2950EX$     Caller Domain: MyDomain     Caller Logon ID: (0x0,0x3E7)
0
 
ISWSIMBXCommented:
This line tells you where the account is getting locked out from:

Caller Machine Name: DNSPO-569CF6C20

Check that machine and verify that there are no Services, Scheduled Tasks or any mapped drives on it that are using the Administrator Account.

If there are, change them to use the correct password and your account should no longer lockout.
0
 
modest911Author Commented:
Hmm - That def is not a computer name in my network - Looks like I got some hunting down to do.
0
 
bluntTonyCommented:
This is the event to show that the account has been locked out. Are you sure that there are no events preceding this relating to failed login attempts?

An account is only locked out after a number of failed logon attempts. Ensure that you check the security log of all of your DCs, as I think this event will show on the PDC whether the logon attempts were actually to this DC or not.
0
 
bluntTonyCommented:
No machine called PE2950EX? Sounds like a Dell PowerEdge 2950 to me?
0
 
modest911Author Commented:
Yeah I just double checked - The onlything that happens when the account is locking out is the following event id's 566, 836 and 837. I cant find any lockouts on either DC's. The onlything I can think of is that I run a MMC with admin credintials on Vista. So, I had to create a batch file to type in the admin password

runas /u:mydomain.com\administrator "mmc C:\Users\me\Documents\Console1.msc"
0
 
modest911Author Commented:
Yes that is my Exchange server bluntTony
0
 
ISWSIMBXCommented:
Does that server have a DRAC card?  If it does that might be where the lockout events are being caused from.  

It's been a while since I worked with Dell servers, but I thought you could configure the DRAC card for Domain Authentication.
0
 
modest911Author Commented:
Hmm - Yes it does. But, I never configured it. Hmm - Let me look in that direction
0
 
modest911Author Commented:
HA - You solved another problem that I been working on though. I have been looking for a static ip for sometime now ad couldnt figure out were it was coming from. I guess I did at one time configure that card - But, have never had time to use it.

0
 
bluntTonyCommented:
So the events 566, 836, and 837 - some of these must be Failure Audits, i.e. failed logons. You've found the lockout - you're looking for the preceding events that caused it.

Look for the source machine causing these failures, and any logon types to help narrow down the source.
0
 
modest911Author Commented:
The type of all three is Success Audit. Before those I get

837 - Success Audit/Directory Service Access (By the system)
836 - Success Audit/Directory Service Access (By the system)
566 - Success Audit/Directory Service Access (By the server)
538 - Success Audit - Logon/Logoff (By the admin)
540 - Success Audit - Logon/Logoff (By the admin)
576 - Special privileges assigned to new logon: (By the admin)


That seems to be the pattern. But, like I say - The account has not locked out since I mentioned it a few posts above. Thanks
0
 
bluntTonyCommented:
OK, it sounds like you may have had some cached credentials that have now been refreshed; it looks like everything has fell in line now.

I would recommend using dedicated service accounts going forward though...

Tony
0
 
modest911Author Commented:
Thanks for the help! I am going to split the points cause both of you helped me.
0
 
bluntTonyCommented:
You split the points but both lots to ISWSIMBX. Nevermind. I won't take it personally :0)
0
 
modest911Author Commented:
Ah man - I didnt mean to do that. Sorry
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 11
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now