Solved

Domain Administrator Account Locked

Posted on 2011-03-07
5
676 Views
Last Modified: 2012-05-11
Greeting,
I have been using MS Account lockout tools  to try to determine which client is sending bad password attempts that is locking out the Domain Administrator Account.
i believe i have found the culprit but i do not know how to get it to stop. Any suggestions would be appreciated. here is a section of the log file that has the client information.

675,AUDIT FAILURE,Security,Mon Mar 07 09:30:52 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: Administrator     User ID:  %{S-1-5-21-1060284298-492894223-725345543-500}     Service Name: krbtgt/mycompany.COM     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: 10.x.x.130  

Thank you.
0
Comment
Question by:4CHail
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35058968
is it only happening from that one box 10.x.x.130?   What is that box?

Thanks

Mike
0
 

Author Comment

by:4CHail
ID: 35059022
It is a Windows XP sp3 box. it it seems to be onlly comming from that box. we shut it off this weekend and the problem went away until this morning when we turned it back on. i have been using the account lockout.dll tool to try to determine what program or service is doiing it. i ihave not been able to stop it.

Thanks.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 35059701
Maybe something like process monitor/TCPView or one of the sysinternal tools on that box can help you out.  Check all the services and passwords on that box.

The nice thing here is that you are close because  you have it down to one box

Good blog entry for others that come across this question  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Thanks

Mike
0
 
LVL 7

Expert Comment

by:holthd
ID: 35062398
4CHail,
This can sound like a suspicious software on the machine. I'd go ahead and have it re-imaged. Just to be sure.

-Daniel
0
 

Author Comment

by:4CHail
ID: 35062453
After looking at the Admin account, i noticed there were options to use kerberose des encryption type for this account. Because the log showed the service was krbgt/domain.com i decided to try this option. I have had no more lockouts since making the change.

-4chail

Thanks for all the suggestsions.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question