snowdog_2112
asked on
AD Domain, member servers local administrator accounts attempting authentication
I am seeing local administrator accounts on member servers getting locked out.
The security logs show other member servers are attempting to log on using their local administrator credentials. The issue, I assume, is a different password for the local administrator between these member servers (a good idea in my book - however, causing me considerable frustration).
Example:
Server-A and Server-B are member servers, joined to a domain, not DC's themselves.
Server-A: failed logon attempt from Server-B\Administrator
Server-A\administrator account gets locked out.
The question is: how can I monitor these systems to see which process on Server-B is trying to authenticate to Server-A using Server-B\administrator?
Procmon? Wireshark?
The security logs show other member servers are attempting to log on using their local administrator credentials. The issue, I assume, is a different password for the local administrator between these member servers (a good idea in my book - however, causing me considerable frustration).
Example:
Server-A and Server-B are member servers, joined to a domain, not DC's themselves.
Server-A: failed logon attempt from Server-B\Administrator
Server-A\administrator account gets locked out.
The question is: how can I monitor these systems to see which process on Server-B is trying to authenticate to Server-A using Server-B\administrator?
Procmon? Wireshark?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
any thoughts on this?
ASKER
anyone? beuller?
ASKER
nothing useful suggested...
1. Use LockoutStatus.exe to determine that which DC is getting the wrong password and it will show you the exact time also.
2. Go to that DC....Open security log for the time exactly mentioned in LockoutStatus.exe and you will find the IP of source computer sending the wrong password.
3. Once you get the IP of the source you can use the tools to start finding the issue for locking your account.
Use a third party tool to audit in this link
Reconfigure the accounts with proper permissions.