Administrator account keeps getting locked out of Windows SBS 2003!

I have a client that uses the default "Administrator" user account for admin tasks. I have since then created another admin account for my use. In addition the server is the Blackberry server as well, so it also has a Bes admin account. Recently, the "Administrator" user name has been denied access both remote and locally. However when I log in as another admin account and reset the "Administrator" password I am able to log in with the account. After a couple of days (or the next time I check), the "Administrator" account is locked again.  Any ideas? I don't want it to lock all of my admin accounts one day.  Thanks!
LVL 2
STS-TechAsked:
Who is Participating?
 
SupportonthespotConnect With a Mentor Commented:
as a work around why dont you disable the admin account and recreate a new admin account. as standard i do this on all my servers so i do not use administrator. I will create companyadmin or something along those lines as a domain admin.

You could find in your environment somebody is guessing passwords. in which they will be guessing administrator as a logon.

You could audit this in the security logs

but you could prevent the lockout by having a seperate admin account not using administrator.

But this is a good alert to you that possibly somebody is guessing passwords. hopefully you havent got RDP protocol open for public acces using Remote Desktop to your servers.

this would almost certainly lead to brute force and password guessing therefore locking out the admin account
0
 
JohnBusiness Consultant (Owner)Commented:
Has someone logged into that admin account that you may not be aware of and remains logged in? Check your Sessions to see if this is the case.  ... Thinkpads_User
0
 
Kruger_monkeyCommented:
It could be a virus, scan the server and pc's.

Check the event logs and review the security log for failures.

I've had this in the past and it was a virus that was spreading through the pc's and trying to connect with administrator causing it to lock out.  If not then potentially somone on the network is trying to access the account, or there is a service running under administrator but using an incorrect password?

The event log will hopefully provide more info.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Brian PierceConnect With a Mentor PhotographerCommented:
It is likely to be beacuse the user has used the account credentials in some scheduled tasks or services and the password has been changed. The Task/Service is attempting to log on with the account and providing the previous password and is generating logon failures leading to account lockout

Double check all Tasks/Services and the credentials they are using.
MS always recommend using a dedicated account for scheduled tasks/services to avoid these issues (set it to password never expires)
0
 
STS-TechAuthor Commented:
Thanks everyone. I am scanning the server now with the conficker tool (referenced by a poster that had a similar issue), nothing found so far. The clients have Kasperksy AV and full scans run overnight every night. I've checked the services and and the only think that has the Administrator account as a log on is the Kaspersky Admin Kit. I have since changed that user. I am getting ready to comb through the security event logs now. Thanks!
0
 
STS-TechAuthor Commented:
Conficker scan just finished. No infections.  I do have login failures from Caller User Name: IUSR_DELLSBSR2. Not sure what or who that is.  Also there is a failure from Caller User SERVERNAME$. When I log into AD, the Administrator account is not displayed as locked.
0
 
SupportonthespotCommented:
Hi that IUSR account appears to be the anonnymous user account when connecting over the internet to web pages for SBS.

Its normally found within IIS under properties and security.

sometimes this is caused by remote devices connecting to emails, sharepoint etc or any web application
0
 
Shaun84Commented:
When anyone trys to hack your server the first username they will try will be Administrator so you are best to disable to administrator account and create a new one with a different username
It will be getting locked as there will be a group policy saying to lock after 3 unsuccessfull attempts
0
 
newmanmeNetwork Administrator\EngineerCommented:
Your most probable cause is a service that is runing on the domain controller itself or on another server.
It is a common mishap to install a server service like backup, antivirus, sysmen monitoring and management, etc.  and the password for the administrator was typed in incorrectly.  Each time this service attempts to run it uses the administrator account with the wrond password and it disables the administrator account.
Check each server in the services panel to see which services use this account, check the event logs and retype in the password just for peice of mind.
Let me know if you need any further help.
M.E.
0
 
STS-TechAuthor Commented:
Thanks to all that responded!
0
 
STS-TechAuthor Commented:
I decided to disable the efault admin account and create a new admin user and change any service that used the old account.  Thanks again!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.