Solved

AD Domain, member servers local administrator accounts attempting authentication

Posted on 2013-05-29
5
319 Views
Last Modified: 2013-09-07
I am seeing local administrator accounts on member servers getting locked out.

The security logs show other member servers are attempting to log on using their local administrator credentials.  The issue, I assume, is a different password for the local administrator between these member servers (a good idea in my book - however, causing me considerable frustration).

Example:
Server-A and Server-B are member servers, joined to a domain, not DC's themselves.
Server-A: failed logon attempt from Server-B\Administrator
Server-A\administrator account gets locked out.

The question is:  how can I monitor these systems to see which process on Server-B is trying to authenticate to Server-A using Server-B\administrator?

Procmon?  Wireshark?
0
Comment
Question by:snowdog_2112
  • 4
5 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39204791
download the Account Lockout and Management Tools  from microsoft website here

1. Use LockoutStatus.exe to determine that which DC is getting the wrong password and it will show you the exact time also.
2. Go to that DC....Open security log for the time exactly mentioned in LockoutStatus.exe and you will find the IP of source computer sending the wrong password.
3. Once you get the IP of the source you can use the tools to start finding the issue for locking your account.

Use a third party tool to audit in this link

Reconfigure the accounts with proper permissions.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39206064
Thanks for the response.

1. I know which account is using the wrong password - it's not a domain account.  Server-B\Administrator is attempting to authenticate directly to Server-A.

2. No DC involved.  Server-A\Administrator is locked out.  Local User.

3.  I know the source and target systems: Server-A and Server-B.

Proper permissions - Don't know what you mean by this.  I don't want local administrator accounts to have the same password.  That is a security no-no.

In my post, I specifically mentioned that it is the LOCAL administrator accounts getting locked out.  Additionally, the local security log on these member (non-DC) servers shows logon attempts from other member servers using the other servers' LOCAL administrator account.

AD does not appear to be involved, so the ALMT tool will not be of much use, since it is NOT the domain accounts getting locked out.

My suspicion is something on these member servers is causing them to attempt to authenticate to other member servers with their local administrator credentials, but the local administrator password is different between member servers - thus resulting in the lockouts.
0
 

Author Comment

by:snowdog_2112
ID: 39242195
any thoughts on this?
0
 

Author Comment

by:snowdog_2112
ID: 39307962
anyone?  beuller?
0
 

Author Closing Comment

by:snowdog_2112
ID: 39472675
nothing useful suggested...
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now