Solved

Domain Administrator Account Locked

Posted on 2011-03-07
5
652 Views
Last Modified: 2012-05-11
Greeting,
I have been using MS Account lockout tools  to try to determine which client is sending bad password attempts that is locking out the Domain Administrator Account.
i believe i have found the culprit but i do not know how to get it to stop. Any suggestions would be appreciated. here is a section of the log file that has the client information.

675,AUDIT FAILURE,Security,Mon Mar 07 09:30:52 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: Administrator     User ID:  %{S-1-5-21-1060284298-492894223-725345543-500}     Service Name: krbtgt/mycompany.COM     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: 10.x.x.130  

Thank you.
0
Comment
Question by:4CHail
  • 2
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35058968
is it only happening from that one box 10.x.x.130?   What is that box?

Thanks

Mike
0
 

Author Comment

by:4CHail
ID: 35059022
It is a Windows XP sp3 box. it it seems to be onlly comming from that box. we shut it off this weekend and the problem went away until this morning when we turned it back on. i have been using the account lockout.dll tool to try to determine what program or service is doiing it. i ihave not been able to stop it.

Thanks.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 35059701
Maybe something like process monitor/TCPView or one of the sysinternal tools on that box can help you out.  Check all the services and passwords on that box.

The nice thing here is that you are close because  you have it down to one box

Good blog entry for others that come across this question  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Thanks

Mike
0
 
LVL 7

Expert Comment

by:holthd
ID: 35062398
4CHail,
This can sound like a suspicious software on the machine. I'd go ahead and have it re-imaged. Just to be sure.

-Daniel
0
 

Author Comment

by:4CHail
ID: 35062453
After looking at the Admin account, i noticed there were options to use kerberose des encryption type for this account. Because the log showed the service was krbgt/domain.com i decided to try this option. I have had no more lockouts since making the change.

-4chail

Thanks for all the suggestsions.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques. This attack comes as a nightmare trifecta for email filtering services; sent from a familiar contact, using authentic tone and verbi…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now