Many domain admin account is locked automaticly in my Active Directory

Hi,

I have many domain controller and RODC in WINDOWS 2008 SP2.

I have many administrator account loocked and i am not able to find the root cause.

When i connect to the server, i and after i enter my password, i have this message:

"the referenced account is currently locked out and may not be logged on to"

Other administrator have the same issue.

After 10-20 minutes, the account is unlocked automaticly.

Thanks for your help
cawasakiAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
AwinishConnect With a Mentor Commented:
You have to use netwrix or event log from security log to check which computer that admin account is being used.

Use below method to troubleshoot account lockout tool.
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
http://www.netwrix.com/account_lockout_examiner.html

Sometime i have seen SEPM is not able to detect Conficker,try to use Mcafee,SOPHOS or trend micro.
0
 
cawasakiAuthor Commented:
Hi,

i have used  Account Lockout Status (LockoutStatus.exe) and i see many administrator account with bad password count=3 in the DDC server who host FSMO role.

Any suggestion?
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
AwinishCommented:
A/c lockout can be with many reason & there can be conficker worms too which mainly target admin accounts.

http://www.sophos.com/products/free-tools/conficker-removal-tool.html
There can be password guess on the account & you can use netwrix tool to detect.
0
 
cawasakiAuthor Commented:
I have Symmantec SEP 11 in all my server and i have 0 detect!
0
 
AwinishCommented:
There can be many reason as i said,mapped drive or service account & its password has been changed, virus attack, if all the domain & admin account facing the issue it can be surely conficker.

Try to cut down the issue,use netwrix tool which helps actually.
0
 
cawasakiAuthor Commented:
its possible to find IP of computer try to use administrator account?
0
 
cawasakiAuthor Commented:
I have activated a debug log to netlogon, il will report if i see anything
0
 
cawasakiAuthor Commented:
ok, i found a computer XP SP3 whot test to connect in all my admin users and lock all my admin account.

I check if it have a virus....
0
All Courses

From novice to tech pro — start learning today.