mappit
asked on
Specific AD account locked out at random intervals
Windows 2003 Domain
Blackberry 4.x server
I have one user account in Active Directory that is used for our Blackberry Enterprise Server services. For whatever reason, at random intervals this account becomes locked out. It can lock out two days in a row at different times and then be fine for 3 weeks and lock out again.
To investigate this issue I have used the Account Lockout tools provided by Microsoft as well as some 30 day trial apps but unable to find the consistent source of this lockout. Looking at the security logs from the tools I'm using it is a few different computers but not one that says, "Hey, it's me!!!
Everything has been scoured and tweaked for this problem but still no luck: AD replication, old scheduled tasks, services that have the old password, passwords in old profiles..... nothing. I changed the password to conform to our password complexity policy even though it is set not to expire and updated all services and credentials for these services. Still nothing has changed.
Any help I can get would be deeply appreciated as I'm out of ideas of what else to try.
Blackberry 4.x server
I have one user account in Active Directory that is used for our Blackberry Enterprise Server services. For whatever reason, at random intervals this account becomes locked out. It can lock out two days in a row at different times and then be fine for 3 weeks and lock out again.
To investigate this issue I have used the Account Lockout tools provided by Microsoft as well as some 30 day trial apps but unable to find the consistent source of this lockout. Looking at the security logs from the tools I'm using it is a few different computers but not one that says, "Hey, it's me!!!
Everything has been scoured and tweaked for this problem but still no luck: AD replication, old scheduled tasks, services that have the old password, passwords in old profiles..... nothing. I changed the password to conform to our password complexity policy even though it is set not to expire and updated all services and credentials for these services. Still nothing has changed.
Any help I can get would be deeply appreciated as I'm out of ideas of what else to try.
you can also see account lockout and management tool.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
another paid tool .. http://www.netwrix.com/
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
another paid tool .. http://www.netwrix.com/
Hi.
I'll give you an example on how that could happen and why this might seem random times.
I am working with remote desktop quite regularly and while I mostly use a domain admin to login remotely, I sometimes like to check mails and for outlook, I use my own (weak) account, of course. That said, I opened outlook and OL offered me to enter and afterwards save credentials for the access to the exchange server. I saved my credentials. I thought, well, if my pw changes and saved credentials become invalid, outlook will tell me, no problem.
A week later, I visited one of those computers again using my domain admin credentials. This time, I did not even open outlook. Strangely, my weak account locked out right then and, as the DC security logs showed, lockout happened right from that workstation - I did not even use my weak account there, did I?
Solution to this problem was: our exchange server is also our print server. Whenever my domain admin account logged in, printer connections were established and... windows would indeed try and use that weak credentials to connect the printers because I saved those using outlook before and now they were no longer valid (password was changed in between). It tries and tries until it gets locked out.
Long story. But you may understand now, why lockouts seemed random: I did not even voluntarily use that account at lockout time! So you should watch out, if on any of these IPs that produce the lockout, you have saved credentials for that specific account in ANY profile that might have logged in at lockout times and delete those. Maybe it's something similar to my story.
I'll give you an example on how that could happen and why this might seem random times.
I am working with remote desktop quite regularly and while I mostly use a domain admin to login remotely, I sometimes like to check mails and for outlook, I use my own (weak) account, of course. That said, I opened outlook and OL offered me to enter and afterwards save credentials for the access to the exchange server. I saved my credentials. I thought, well, if my pw changes and saved credentials become invalid, outlook will tell me, no problem.
A week later, I visited one of those computers again using my domain admin credentials. This time, I did not even open outlook. Strangely, my weak account locked out right then and, as the DC security logs showed, lockout happened right from that workstation - I did not even use my weak account there, did I?
Solution to this problem was: our exchange server is also our print server. Whenever my domain admin account logged in, printer connections were established and... windows would indeed try and use that weak credentials to connect the printers because I saved those using outlook before and now they were no longer valid (password was changed in between). It tries and tries until it gets locked out.
Long story. But you may understand now, why lockouts seemed random: I did not even voluntarily use that account at lockout time! So you should watch out, if on any of these IPs that produce the lockout, you have saved credentials for that specific account in ANY profile that might have logged in at lockout times and delete those. Maybe it's something similar to my story.
ASKER
I've used Netwrix and all Microsoft tools.
ASKER
Account locks out after 3 invalid attempts.
ASKER
I've also had all of our admins check for saved passwords in their profile via the Control Panel.
You should look at the lockout times then at what workstations the lockout was provoked at. Then try and find out who was logged into that woirkstation at that time and check his profile for saved passwords or userbound scripts that could have that passw. implemented.
ASKER
I have checked the lockout times and verified that the lockout is coming from one particular server used as terminal server only by admins for DR purposes. it is in a different subnet that the rest of the network and is connected to our main network via VPN. This was the reason I checked replication first between domain controllers.
Here is what I'm seeing on the security log for the domain controller to which this terminal server authenticates:
-------------------------- ---------- ---------- ---------- -------
644,AUDIT SUCCESS,Security,Thu Apr 05 17:25:37 2012,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: besadmin Target Account ID: %{S-1-5-21-542645737-19147 89910-3720 152676-138 5} Caller Machine Name: MJM-SVIT701 Caller User Name: domaincontroller$ Caller Domain: domain_name Caller Logon ID: (0x0,0x3E7)
-------------------------- ---------- ---------- ---------- -------
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:37 2012,NT AUTHORITY\SYSTEM,Pre-authe ntication failed: User Name: besadmin User ID: %{S-1-5-21-542645737-19147 89910-3720 152676-138 5} Service Name: krbtgt/domain_name Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.13.100 Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
-------------------------- ---------- ---------- ---------- -------
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:35 2012,NT AUTHORITY\SYSTEM,Pre-authe ntication failed: User Name: besadmin User ID: %{S-1-5-21-542645737-19147 89910-3720 152676-138 5} Service Name: krbtgt/domain_name Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.13.100 Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
-------------------------- ---------- ---------- ---------- -------
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:33 2012,NT AUTHORITY\SYSTEM,Pre-authe ntication failed: User Name: besadmin User ID: %{S-1-5-21-542645737-19147 89910-3720 152676-138 5} Service Name: krbtgt/domain_name Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.13.100 Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
Here is what I'm seeing on the security log for the domain controller to which this terminal server authenticates:
--------------------------
644,AUDIT SUCCESS,Security,Thu Apr 05 17:25:37 2012,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: besadmin Target Account ID: %{S-1-5-21-542645737-19147
--------------------------
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:37 2012,NT AUTHORITY\SYSTEM,Pre-authe
--------------------------
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:35 2012,NT AUTHORITY\SYSTEM,Pre-authe
--------------------------
675,AUDIT FAILURE,Security,Thu Apr 05 17:25:33 2012,NT AUTHORITY\SYSTEM,Pre-authe
ASKER
These are the times it has been locked out in the past month. Double checked if anyone was logged into this server during these lockouts. Only authentication shown is for SYSTEM.
Mon Apr 09 02:00:21 2012
Sat Apr 07 00:42:00 2012
Thu Apr 05 17:25:37 2012
Thu Mar 29 20:33:40 2012
Wed Mar 28 05:14:38 2012
Sat Mar 24 00:04:12 2012
Wed Mar 21 01:26:14 2012
Tue Mar 20 11:26:20 2012
Thu Mar 15 15:46:50 2012
Mon Apr 09 02:00:21 2012
Sat Apr 07 00:42:00 2012
Thu Apr 05 17:25:37 2012
Thu Mar 29 20:33:40 2012
Wed Mar 28 05:14:38 2012
Sat Mar 24 00:04:12 2012
Wed Mar 21 01:26:14 2012
Tue Mar 20 11:26:20 2012
Thu Mar 15 15:46:50 2012
So if no one was logged in, it has to be a scheduled task or any other software that runs as a service or a service itself. Check again.
ASKER
No services with these credentials.
No scheduled tasks with these credentials.
No software with these credentials.
No scheduled tasks with these credentials.
No software with these credentials.
Then the only possibility will be extensive logging.
Log the computer where the lockout was provoced using procmon (use the option to drop unneeded content, otherwise the logs will grow huge). Use a network sniffer like wireshark on that computer, too to find what type of request sent these credentials. Sorry, out of other ideas.
Log the computer where the lockout was provoced using procmon (use the option to drop unneeded content, otherwise the logs will grow huge). Use a network sniffer like wireshark on that computer, too to find what type of request sent these credentials. Sorry, out of other ideas.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Our fault for not figuring this out sooner.
what is the account lockout policy. after how many attempts does the accound get's locked.