Solved

Admin Account Locking Out

Posted on 2009-05-05
20
636 Views
Last Modified: 2012-08-13
I noticed last week I kept getting Event ID 1083 and 1955 replication errors

Active Directory could not update the following object with changes received from the domain controller at the following network address because Active Directory was busy processing information.

and

Active Directory encountered a write conflict when applying replicated changes to the following object.

I changed the password to the Admin Account - Changed all services that run on Admin, changed all ISS website security. I relized to day that the Admin acount is locking out. If I unlock it, it locks right back up with the following errors in the Security Log - Event ID 566, 836 and 837.

How can I figure out what is locking out the admin account?

BTW - Windows 2003, with two ADs and GCs with DNS, DHCP, and Exchange.

TIA
0
Comment
Question by:modest911
  • 11
  • 6
  • 3
20 Comments
 
LVL 2

Author Comment

by:modest911
ID: 24304588
Update - Now this is weird. When the admin account would lockout. I was still able to log on as admin. On top of that after serval times of unlocking the admin account, it doesnt seem to be locking out anymore (For now). Any idea's?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24304590
Check your DC in the Security event log and look for the failed logon attempts. From this you should be able to determine the sourcee machine, and alos check the logon type. This will give you an idea of the type of logon which is failing. See here : http://www.windowsecurity.com/articles/Logon-Types.html.
Best practice is to not have services running under the domain adminstrator account, or any other regular account. Really you should create a service account with the necessary permissions to carry out it's task and assign this to the service. This account is then used soley for this purpose, and you won't encounter these problems when you change your regular account passwords.
You may also want to check cached credentials on machines you are logged on to as this account : Control Panel | User Accounts | Advanced | Manage Passwords - clear any entries in here.
0
 
LVL 2

Author Comment

by:modest911
ID: 24304681
There are no failed logon attempts in the event logs.

I will def explore your best practices.

I dont log on as a domain admin anywhere but on the DC's is through a MMC.
0
 
LVL 3

Accepted Solution

by:
ISWSIMBX earned 500 total points
ID: 24305020
Try downloading eventcomb from Microsoft (part of the Windows 2003 Resource Kit) and run that against the security logs for your Domain Controllers.  

When you open it, go to the Searches Menu --> Built-In Searches --> Account Lockouts

In the text box at the bottom, enter your Admin account ID and see if it pulls back any lockout events.
0
 
LVL 2

Author Comment

by:modest911
ID: 24305194
ISWSIMBX - Thanks for that tools. I did find the following account is/was getting locked out

644,AUDIT SUCCESS,Security,Tue May 05 09:37:17 2009,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: Administrator     Target Account ID: %{S-1-5-21-1202660629-1580436667-725345543-500}     Caller Machine Name: DNSPO-569CF6C20     Caller User Name: PE2950EX$     Caller Domain: MyDomain     Caller Logon ID: (0x0,0x3E7)
0
 
LVL 3

Expert Comment

by:ISWSIMBX
ID: 24305255
This line tells you where the account is getting locked out from:

Caller Machine Name: DNSPO-569CF6C20

Check that machine and verify that there are no Services, Scheduled Tasks or any mapped drives on it that are using the Administrator Account.

If there are, change them to use the correct password and your account should no longer lockout.
0
 
LVL 2

Author Comment

by:modest911
ID: 24305266
Hmm - That def is not a computer name in my network - Looks like I got some hunting down to do.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24305308
This is the event to show that the account has been locked out. Are you sure that there are no events preceding this relating to failed login attempts?

An account is only locked out after a number of failed logon attempts. Ensure that you check the security log of all of your DCs, as I think this event will show on the PDC whether the logon attempts were actually to this DC or not.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24305363
No machine called PE2950EX? Sounds like a Dell PowerEdge 2950 to me?
0
 
LVL 2

Author Comment

by:modest911
ID: 24305370
Yeah I just double checked - The onlything that happens when the account is locking out is the following event id's 566, 836 and 837. I cant find any lockouts on either DC's. The onlything I can think of is that I run a MMC with admin credintials on Vista. So, I had to create a batch file to type in the admin password

runas /u:mydomain.com\administrator "mmc C:\Users\me\Documents\Console1.msc"
0
 
LVL 2

Author Comment

by:modest911
ID: 24305378
Yes that is my Exchange server bluntTony
0
 
LVL 3

Assisted Solution

by:ISWSIMBX
ISWSIMBX earned 500 total points
ID: 24305450
Does that server have a DRAC card?  If it does that might be where the lockout events are being caused from.  

It's been a while since I worked with Dell servers, but I thought you could configure the DRAC card for Domain Authentication.
0
 
LVL 2

Author Comment

by:modest911
ID: 24305473
Hmm - Yes it does. But, I never configured it. Hmm - Let me look in that direction
0
 
LVL 2

Author Comment

by:modest911
ID: 24305535
HA - You solved another problem that I been working on though. I have been looking for a static ip for sometime now ad couldnt figure out were it was coming from. I guess I did at one time configure that card - But, have never had time to use it.

0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24305851
So the events 566, 836, and 837 - some of these must be Failure Audits, i.e. failed logons. You've found the lockout - you're looking for the preceding events that caused it.

Look for the source machine causing these failures, and any logon types to help narrow down the source.
0
 
LVL 2

Author Comment

by:modest911
ID: 24305999
The type of all three is Success Audit. Before those I get

837 - Success Audit/Directory Service Access (By the system)
836 - Success Audit/Directory Service Access (By the system)
566 - Success Audit/Directory Service Access (By the server)
538 - Success Audit - Logon/Logoff (By the admin)
540 - Success Audit - Logon/Logoff (By the admin)
576 - Special privileges assigned to new logon: (By the admin)


That seems to be the pattern. But, like I say - The account has not locked out since I mentioned it a few posts above. Thanks
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24306226
OK, it sounds like you may have had some cached credentials that have now been refreshed; it looks like everything has fell in line now.

I would recommend using dedicated service accounts going forward though...

Tony
0
 
LVL 2

Author Comment

by:modest911
ID: 24306309
Thanks for the help! I am going to split the points cause both of you helped me.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24306488
You split the points but both lots to ISWSIMBX. Nevermind. I won't take it personally :0)
0
 
LVL 2

Author Comment

by:modest911
ID: 24306501
Ah man - I didnt mean to do that. Sorry
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now