Solved

AD Domain, member servers local administrator accounts attempting authentication

Posted on 2013-05-29
5
326 Views
Last Modified: 2013-09-07
I am seeing local administrator accounts on member servers getting locked out.

The security logs show other member servers are attempting to log on using their local administrator credentials.  The issue, I assume, is a different password for the local administrator between these member servers (a good idea in my book - however, causing me considerable frustration).

Example:
Server-A and Server-B are member servers, joined to a domain, not DC's themselves.
Server-A: failed logon attempt from Server-B\Administrator
Server-A\administrator account gets locked out.

The question is:  how can I monitor these systems to see which process on Server-B is trying to authenticate to Server-A using Server-B\administrator?

Procmon?  Wireshark?
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39204791
download the Account Lockout and Management Tools  from microsoft website here

1. Use LockoutStatus.exe to determine that which DC is getting the wrong password and it will show you the exact time also.
2. Go to that DC....Open security log for the time exactly mentioned in LockoutStatus.exe and you will find the IP of source computer sending the wrong password.
3. Once you get the IP of the source you can use the tools to start finding the issue for locking your account.

Use a third party tool to audit in this link

Reconfigure the accounts with proper permissions.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39206064
Thanks for the response.

1. I know which account is using the wrong password - it's not a domain account.  Server-B\Administrator is attempting to authenticate directly to Server-A.

2. No DC involved.  Server-A\Administrator is locked out.  Local User.

3.  I know the source and target systems: Server-A and Server-B.

Proper permissions - Don't know what you mean by this.  I don't want local administrator accounts to have the same password.  That is a security no-no.

In my post, I specifically mentioned that it is the LOCAL administrator accounts getting locked out.  Additionally, the local security log on these member (non-DC) servers shows logon attempts from other member servers using the other servers' LOCAL administrator account.

AD does not appear to be involved, so the ALMT tool will not be of much use, since it is NOT the domain accounts getting locked out.

My suspicion is something on these member servers is causing them to attempt to authenticate to other member servers with their local administrator credentials, but the local administrator password is different between member servers - thus resulting in the lockouts.
0
 

Author Comment

by:snowdog_2112
ID: 39242195
any thoughts on this?
0
 

Author Comment

by:snowdog_2112
ID: 39307962
anyone?  beuller?
0
 

Author Closing Comment

by:snowdog_2112
ID: 39472675
nothing useful suggested...
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Communicating machines through cross-over cable? 5 94
Windows 2008 set profile 9 61
Windows Server 2003 2 38
Protecting Server 2003 against Ransomware 2 76
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question