Avatar of 4CHail
4CHail
 asked on

Domain Administrator Account Locked

Greeting,
I have been using MS Account lockout tools  to try to determine which client is sending bad password attempts that is locking out the Domain Administrator Account.
i believe i have found the culprit but i do not know how to get it to stop. Any suggestions would be appreciated. here is a section of the log file that has the client information.

675,AUDIT FAILURE,Security,Mon Mar 07 09:30:52 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: Administrator     User ID:  %{S-1-5-21-1060284298-492894223-725345543-500}     Service Name: krbtgt/mycompany.COM     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: 10.x.x.130  

Thank you.
Active DirectorySecurity

Avatar of undefined
Last Comment
4CHail

8/22/2022 - Mon
Mike Kline

is it only happening from that one box 10.x.x.130?   What is that box?

Thanks

Mike
4CHail

ASKER
It is a Windows XP sp3 box. it it seems to be onlly comming from that box. we shut it off this weekend and the problem went away until this morning when we turned it back on. i have been using the account lockout.dll tool to try to determine what program or service is doiing it. i ihave not been able to stop it.

Thanks.
ASKER CERTIFIED SOLUTION
Mike Kline

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
holthd

4CHail,
This can sound like a suspicious software on the machine. I'd go ahead and have it re-imaged. Just to be sure.

-Daniel
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
4CHail

ASKER
After looking at the Admin account, i noticed there were options to use kerberose des encryption type for this account. Because the log showed the service was krbgt/domain.com i decided to try this option. I have had no more lockouts since making the change.

-4chail

Thanks for all the suggestsions.