Solved

Domain Administrator Account Locked

Posted on 2011-03-07
5
667 Views
Last Modified: 2012-05-11
Greeting,
I have been using MS Account lockout tools  to try to determine which client is sending bad password attempts that is locking out the Domain Administrator Account.
i believe i have found the culprit but i do not know how to get it to stop. Any suggestions would be appreciated. here is a section of the log file that has the client information.

675,AUDIT FAILURE,Security,Mon Mar 07 09:30:52 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: Administrator     User ID:  %{S-1-5-21-1060284298-492894223-725345543-500}     Service Name: krbtgt/mycompany.COM     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: 10.x.x.130  

Thank you.
0
Comment
Question by:4CHail
  • 2
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35058968
is it only happening from that one box 10.x.x.130?   What is that box?

Thanks

Mike
0
 

Author Comment

by:4CHail
ID: 35059022
It is a Windows XP sp3 box. it it seems to be onlly comming from that box. we shut it off this weekend and the problem went away until this morning when we turned it back on. i have been using the account lockout.dll tool to try to determine what program or service is doiing it. i ihave not been able to stop it.

Thanks.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 35059701
Maybe something like process monitor/TCPView or one of the sysinternal tools on that box can help you out.  Check all the services and passwords on that box.

The nice thing here is that you are close because  you have it down to one box

Good blog entry for others that come across this question  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Thanks

Mike
0
 
LVL 7

Expert Comment

by:holthd
ID: 35062398
4CHail,
This can sound like a suspicious software on the machine. I'd go ahead and have it re-imaged. Just to be sure.

-Daniel
0
 

Author Comment

by:4CHail
ID: 35062453
After looking at the Admin account, i noticed there were options to use kerberose des encryption type for this account. Because the log showed the service was krbgt/domain.com i decided to try this option. I have had no more lockouts since making the change.

-4chail

Thanks for all the suggestsions.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In-place Upgrading Dirsync to Azure AD Connect
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question