Administrator account keeps getting locked out of Windows SBS 2003!

I have a client that uses the default "Administrator" user account for admin tasks. I have since then created another admin account for my use. In addition the server is the Blackberry server as well, so it also has a Bes admin account. Recently, the "Administrator" user name has been denied access both remote and locally. However when I log in as another admin account and reset the "Administrator" password I am able to log in with the account. After a couple of days (or the next time I check), the "Administrator" account is locked again.  Any ideas? I don't want it to lock all of my admin accounts one day.  Thanks!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Has someone logged into that admin account that you may not be aware of and remains logged in? Check your Sessions to see if this is the case.  ... Thinkpads_User
It could be a virus, scan the server and pc's.

Check the event logs and review the security log for failures.

I've had this in the past and it was a virus that was spreading through the pc's and trying to connect with administrator causing it to lock out.  If not then potentially somone on the network is trying to access the account, or there is a service running under administrator but using an incorrect password?

The event log will hopefully provide more info.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Brian PiercePhotographerCommented:
It is likely to be beacuse the user has used the account credentials in some scheduled tasks or services and the password has been changed. The Task/Service is attempting to log on with the account and providing the previous password and is generating logon failures leading to account lockout

Double check all Tasks/Services and the credentials they are using.
MS always recommend using a dedicated account for scheduled tasks/services to avoid these issues (set it to password never expires)
STS-TechAuthor Commented:
Thanks everyone. I am scanning the server now with the conficker tool (referenced by a poster that had a similar issue), nothing found so far. The clients have Kasperksy AV and full scans run overnight every night. I've checked the services and and the only think that has the Administrator account as a log on is the Kaspersky Admin Kit. I have since changed that user. I am getting ready to comb through the security event logs now. Thanks!
as a work around why dont you disable the admin account and recreate a new admin account. as standard i do this on all my servers so i do not use administrator. I will create companyadmin or something along those lines as a domain admin.

You could find in your environment somebody is guessing passwords. in which they will be guessing administrator as a logon.

You could audit this in the security logs

but you could prevent the lockout by having a seperate admin account not using administrator.

But this is a good alert to you that possibly somebody is guessing passwords. hopefully you havent got RDP protocol open for public acces using Remote Desktop to your servers.

this would almost certainly lead to brute force and password guessing therefore locking out the admin account

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
STS-TechAuthor Commented:
Conficker scan just finished. No infections.  I do have login failures from Caller User Name: IUSR_DELLSBSR2. Not sure what or who that is.  Also there is a failure from Caller User SERVERNAME$. When I log into AD, the Administrator account is not displayed as locked.
Hi that IUSR account appears to be the anonnymous user account when connecting over the internet to web pages for SBS.

Its normally found within IIS under properties and security.

sometimes this is caused by remote devices connecting to emails, sharepoint etc or any web application
When anyone trys to hack your server the first username they will try will be Administrator so you are best to disable to administrator account and create a new one with a different username
It will be getting locked as there will be a group policy saying to lock after 3 unsuccessfull attempts
newmanmeNetwork Administrator\EngineerCommented:
Your most probable cause is a service that is runing on the domain controller itself or on another server.
It is a common mishap to install a server service like backup, antivirus, sysmen monitoring and management, etc.  and the password for the administrator was typed in incorrectly.  Each time this service attempts to run it uses the administrator account with the wrond password and it disables the administrator account.
Check each server in the services panel to see which services use this account, check the event logs and retype in the password just for peice of mind.
Let me know if you need any further help.
STS-TechAuthor Commented:
Thanks to all that responded!
STS-TechAuthor Commented:
I decided to disable the efault admin account and create a new admin user and change any service that used the old account.  Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.