Solved

Specific AD account locked out at random intervals

Posted on 2012-04-05
14
869 Views
Last Modified: 2012-08-13
Windows 2003 Domain
Blackberry 4.x server

I have one user account in Active Directory that is used for our Blackberry Enterprise Server services.  For whatever reason, at random intervals this account becomes locked out.  It can lock out two days in a row at different times and then be fine for 3 weeks and lock out again.

To investigate this issue I have used the Account Lockout tools provided by Microsoft as well as some 30 day trial apps but unable to find the consistent source of this lockout.  Looking at the security logs from the tools I'm using it is a few different computers but not one that says, "Hey, it's me!!!

Everything has been scoured and tweaked for this problem but still no luck:  AD replication, old scheduled tasks, services that have the old password, passwords in old profiles..... nothing.  I changed the password to conform to our password complexity policy even though it is set not to expire and updated all services and credentials for these services.  Still nothing has changed.

Any help I can get would be deeply appreciated as I'm out of ideas of what else to try.
0
Comment
Question by:mappit
  • 8
  • 4
  • 2
14 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
may be some application or virus is trying to login that account and it is getting locked.
what is the account lockout policy. after how many attempts does the accound get's locked.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
you can also see account lockout and management tool.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

another paid tool .. http://www.netwrix.com/
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi.

I'll give you an example on how that could happen and why this might seem random times.
I am working with remote desktop quite regularly and while I mostly use a domain admin to login remotely, I sometimes like to check mails and for outlook, I use my own (weak) account, of course. That said, I opened outlook and OL offered me to enter and afterwards save credentials for the access to the exchange server. I saved my credentials. I thought, well, if my pw changes and saved credentials become invalid, outlook will tell me, no problem.
A week later, I visited one of those computers again using my domain admin credentials. This time, I did not even open outlook. Strangely, my weak account locked out right then and, as the DC security logs showed, lockout happened right from that workstation - I did not even use my weak account there, did I?

Solution to this problem was: our exchange server is also our print server. Whenever my domain admin account logged in, printer connections were established and... windows would indeed try and use that weak credentials to connect the printers because I saved those using outlook before and now they were no longer valid (password was changed in between). It tries and tries until it gets locked out.

Long story. But you may understand now, why lockouts seemed random: I did not even voluntarily use that account at lockout time! So you should watch out, if on any of these IPs that produce the lockout, you have saved credentials for that specific account in ANY profile that might have logged in at lockout times and delete those. Maybe it's something similar to my story.
0
 

Author Comment

by:mappit
Comment Utility
I've used Netwrix and all Microsoft tools.
0
 

Author Comment

by:mappit
Comment Utility
Account locks out after 3 invalid attempts.
0
 

Author Comment

by:mappit
Comment Utility
I've also had all of our admins check for saved passwords in their profile via the Control Panel.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
You should look at the lockout times then at what workstations the lockout was provoked at. Then try and find out who was logged into that woirkstation at that time and check his profile for saved passwords or userbound scripts that could have that passw. implemented.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:mappit
Comment Utility
I have checked the lockout times and verified that the lockout is coming from one particular server used as terminal server only by admins for DR purposes.  it is in a different subnet that the rest of the network and is connected to our main network via VPN.  This was the reason I checked replication first between domain controllers.

Here is what I'm seeing on the security log for the domain controller to which this terminal server authenticates:

---------------------------------------------------------------  
644,AUDIT SUCCESS,Security,Thu Apr 05 17:25:37 2012,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: besadmin     Target Account ID: %{S-1-5-21-542645737-1914789910-3720152676-1385}     Caller Machine Name: MJM-SVIT701     Caller User Name: domaincontroller$     Caller Domain: domain_name    Caller Logon ID: (0x0,0x3E7)
---------------------------------------------------------------  
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:37 2012,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: besadmin     User ID:  %{S-1-5-21-542645737-1914789910-3720152676-1385}     Service Name: krbtgt/domain_name     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: 172.16.13.100     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9
---------------------------------------------------------------  
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:35 2012,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: besadmin     User ID:  %{S-1-5-21-542645737-1914789910-3720152676-1385}     Service Name: krbtgt/domain_name     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: 172.16.13.100     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9
---------------------------------------------------------------  
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:33 2012,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: besadmin     User ID:  %{S-1-5-21-542645737-1914789910-3720152676-1385}     Service Name: krbtgt/domain_name     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: 172.16.13.100     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9
0
 

Author Comment

by:mappit
Comment Utility
These are the times it has been locked out in the past month.  Double checked if anyone was logged into this server during these lockouts.  Only authentication shown is for SYSTEM.

Mon Apr 09 02:00:21 2012
Sat Apr 07 00:42:00 2012
Thu Apr 05 17:25:37 2012
Thu Mar 29 20:33:40 2012
Wed Mar 28 05:14:38 2012
Sat Mar 24 00:04:12 2012
Wed Mar 21 01:26:14 2012
Tue Mar 20 11:26:20 2012
Thu Mar 15 15:46:50 2012
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
So if no one was logged in, it has to be a scheduled task or any other software that runs as a service or a service itself. Check again.
0
 

Author Comment

by:mappit
Comment Utility
No services with these credentials.
No scheduled tasks with these credentials.
No software with these credentials.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Then the only possibility will be extensive logging.
Log the computer where the lockout was provoced using procmon (use the option to drop unneeded content, otherwise the logs will grow huge). Use a network sniffer like wireshark on that computer, too to find what type of request sent these credentials. Sorry, out of other ideas.
0
 

Accepted Solution

by:
mappit earned 0 total points
Comment Utility
Thought I would update everyone on this issue.  After talking about it with some of my colleagues the suggestion was put forth that it could possibly be due to an attempt to compromise the system externally.  We had RDP open to any internet address so I limited it to our internal network and my WAN IP at home about three weeks ago.  Since then the account has not been locked out and I have noticed that other generic user accounts (Guest, Microsoft) have not been locked out either (I used to wonder why these were locked out as well!!)
0
 

Author Closing Comment

by:mappit
Comment Utility
Our fault for not figuring this out sooner.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now