Solved

AD Domain, member servers local administrator accounts attempting authentication

Posted on 2013-05-29
5
323 Views
Last Modified: 2013-09-07
I am seeing local administrator accounts on member servers getting locked out.

The security logs show other member servers are attempting to log on using their local administrator credentials.  The issue, I assume, is a different password for the local administrator between these member servers (a good idea in my book - however, causing me considerable frustration).

Example:
Server-A and Server-B are member servers, joined to a domain, not DC's themselves.
Server-A: failed logon attempt from Server-B\Administrator
Server-A\administrator account gets locked out.

The question is:  how can I monitor these systems to see which process on Server-B is trying to authenticate to Server-A using Server-B\administrator?

Procmon?  Wireshark?
0
Comment
Question by:snowdog_2112
  • 4
5 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39204791
download the Account Lockout and Management Tools  from microsoft website here

1. Use LockoutStatus.exe to determine that which DC is getting the wrong password and it will show you the exact time also.
2. Go to that DC....Open security log for the time exactly mentioned in LockoutStatus.exe and you will find the IP of source computer sending the wrong password.
3. Once you get the IP of the source you can use the tools to start finding the issue for locking your account.

Use a third party tool to audit in this link

Reconfigure the accounts with proper permissions.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39206064
Thanks for the response.

1. I know which account is using the wrong password - it's not a domain account.  Server-B\Administrator is attempting to authenticate directly to Server-A.

2. No DC involved.  Server-A\Administrator is locked out.  Local User.

3.  I know the source and target systems: Server-A and Server-B.

Proper permissions - Don't know what you mean by this.  I don't want local administrator accounts to have the same password.  That is a security no-no.

In my post, I specifically mentioned that it is the LOCAL administrator accounts getting locked out.  Additionally, the local security log on these member (non-DC) servers shows logon attempts from other member servers using the other servers' LOCAL administrator account.

AD does not appear to be involved, so the ALMT tool will not be of much use, since it is NOT the domain accounts getting locked out.

My suspicion is something on these member servers is causing them to attempt to authenticate to other member servers with their local administrator credentials, but the local administrator password is different between member servers - thus resulting in the lockouts.
0
 

Author Comment

by:snowdog_2112
ID: 39242195
any thoughts on this?
0
 

Author Comment

by:snowdog_2112
ID: 39307962
anyone?  beuller?
0
 

Author Closing Comment

by:snowdog_2112
ID: 39472675
nothing useful suggested...
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question