[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

AD Domain, member servers local administrator accounts attempting authentication

I am seeing local administrator accounts on member servers getting locked out.

The security logs show other member servers are attempting to log on using their local administrator credentials.  The issue, I assume, is a different password for the local administrator between these member servers (a good idea in my book - however, causing me considerable frustration).

Example:
Server-A and Server-B are member servers, joined to a domain, not DC's themselves.
Server-A: failed logon attempt from Server-B\Administrator
Server-A\administrator account gets locked out.

The question is:  how can I monitor these systems to see which process on Server-B is trying to authenticate to Server-A using Server-B\administrator?

Procmon?  Wireshark?
0
snowdog_2112
Asked:
snowdog_2112
  • 4
1 Solution
 
Rsilva98Commented:
download the Account Lockout and Management Tools  from microsoft website here

1. Use LockoutStatus.exe to determine that which DC is getting the wrong password and it will show you the exact time also.
2. Go to that DC....Open security log for the time exactly mentioned in LockoutStatus.exe and you will find the IP of source computer sending the wrong password.
3. Once you get the IP of the source you can use the tools to start finding the issue for locking your account.

Use a third party tool to audit in this link

Reconfigure the accounts with proper permissions.
0
 
snowdog_2112Author Commented:
Thanks for the response.

1. I know which account is using the wrong password - it's not a domain account.  Server-B\Administrator is attempting to authenticate directly to Server-A.

2. No DC involved.  Server-A\Administrator is locked out.  Local User.

3.  I know the source and target systems: Server-A and Server-B.

Proper permissions - Don't know what you mean by this.  I don't want local administrator accounts to have the same password.  That is a security no-no.

In my post, I specifically mentioned that it is the LOCAL administrator accounts getting locked out.  Additionally, the local security log on these member (non-DC) servers shows logon attempts from other member servers using the other servers' LOCAL administrator account.

AD does not appear to be involved, so the ALMT tool will not be of much use, since it is NOT the domain accounts getting locked out.

My suspicion is something on these member servers is causing them to attempt to authenticate to other member servers with their local administrator credentials, but the local administrator password is different between member servers - thus resulting in the lockouts.
0
 
snowdog_2112Author Commented:
any thoughts on this?
0
 
snowdog_2112Author Commented:
anyone?  beuller?
0
 
snowdog_2112Author Commented:
nothing useful suggested...
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now