Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 696
  • Last Modified:

Domain Administrator Account Locked

Greeting,
I have been using MS Account lockout tools  to try to determine which client is sending bad password attempts that is locking out the Domain Administrator Account.
i believe i have found the culprit but i do not know how to get it to stop. Any suggestions would be appreciated. here is a section of the log file that has the client information.

675,AUDIT FAILURE,Security,Mon Mar 07 09:30:52 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: Administrator     User ID:  %{S-1-5-21-1060284298-492894223-725345543-500}     Service Name: krbtgt/mycompany.COM     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: 10.x.x.130  

Thank you.
0
4CHail
Asked:
4CHail
  • 2
  • 2
1 Solution
 
Mike KlineCommented:
is it only happening from that one box 10.x.x.130?   What is that box?

Thanks

Mike
0
 
4CHailAuthor Commented:
It is a Windows XP sp3 box. it it seems to be onlly comming from that box. we shut it off this weekend and the problem went away until this morning when we turned it back on. i have been using the account lockout.dll tool to try to determine what program or service is doiing it. i ihave not been able to stop it.

Thanks.
0
 
Mike KlineCommented:
Maybe something like process monitor/TCPView or one of the sysinternal tools on that box can help you out.  Check all the services and passwords on that box.

The nice thing here is that you are close because  you have it down to one box

Good blog entry for others that come across this question  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Thanks

Mike
0
 
holthdCommented:
4CHail,
This can sound like a suspicious software on the machine. I'd go ahead and have it re-imaged. Just to be sure.

-Daniel
0
 
4CHailAuthor Commented:
After looking at the Admin account, i noticed there were options to use kerberose des encryption type for this account. Because the log showed the service was krbgt/domain.com i decided to try this option. I have had no more lockouts since making the change.

-4chail

Thanks for all the suggestsions.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now