Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

AD Domain, member servers local administrator accounts attempting authentication

Posted on 2013-05-29
5
Medium Priority
?
333 Views
Last Modified: 2013-09-07
I am seeing local administrator accounts on member servers getting locked out.

The security logs show other member servers are attempting to log on using their local administrator credentials.  The issue, I assume, is a different password for the local administrator between these member servers (a good idea in my book - however, causing me considerable frustration).

Example:
Server-A and Server-B are member servers, joined to a domain, not DC's themselves.
Server-A: failed logon attempt from Server-B\Administrator
Server-A\administrator account gets locked out.

The question is:  how can I monitor these systems to see which process on Server-B is trying to authenticate to Server-A using Server-B\administrator?

Procmon?  Wireshark?
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39204791
download the Account Lockout and Management Tools  from microsoft website here

1. Use LockoutStatus.exe to determine that which DC is getting the wrong password and it will show you the exact time also.
2. Go to that DC....Open security log for the time exactly mentioned in LockoutStatus.exe and you will find the IP of source computer sending the wrong password.
3. Once you get the IP of the source you can use the tools to start finding the issue for locking your account.

Use a third party tool to audit in this link

Reconfigure the accounts with proper permissions.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39206064
Thanks for the response.

1. I know which account is using the wrong password - it's not a domain account.  Server-B\Administrator is attempting to authenticate directly to Server-A.

2. No DC involved.  Server-A\Administrator is locked out.  Local User.

3.  I know the source and target systems: Server-A and Server-B.

Proper permissions - Don't know what you mean by this.  I don't want local administrator accounts to have the same password.  That is a security no-no.

In my post, I specifically mentioned that it is the LOCAL administrator accounts getting locked out.  Additionally, the local security log on these member (non-DC) servers shows logon attempts from other member servers using the other servers' LOCAL administrator account.

AD does not appear to be involved, so the ALMT tool will not be of much use, since it is NOT the domain accounts getting locked out.

My suspicion is something on these member servers is causing them to attempt to authenticate to other member servers with their local administrator credentials, but the local administrator password is different between member servers - thus resulting in the lockouts.
0
 

Author Comment

by:snowdog_2112
ID: 39242195
any thoughts on this?
0
 

Author Comment

by:snowdog_2112
ID: 39307962
anyone?  beuller?
0
 

Author Closing Comment

by:snowdog_2112
ID: 39472675
nothing useful suggested...
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question