Account is locking out constantly
We have an admin account that has recently had the password changed. It is constantly being locked out since the password was changed but we can't find out why. I am a novice with log entries...
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Make sure you don't have a service on the server trying to run as that account. That is what it looks like to me. Something is trying to log into the account and is not getting in. You may also want to check you event logs for failed login attempts
Check your Security log on the DC. It will tell you a lot of info. Filter by failed Audits and start to check the failures for your Admin account.
Things it could be .. services running under the Admin credentials, softwares doing the same, mail enabled software trying to send emails/alerts, Scheduled talks ...
Things it could be .. services running under the Admin credentials, softwares doing the same, mail enabled software trying to send emails/alerts, Scheduled talks ...
First figure out which machine(s) the failures are coming from.
ASKER
Here is the security log info I found...help?
Capture2.JPG
Capture2.JPG
Failure code 0x18 is Pre-auth failure with bad password for kerberos.
What machine does the IP Address belong to?
What machine does the IP Address belong to?
ASKER
our secondary domain controller.
Check services on that DC and make sure nothing is running as the admin account.
I would say you have something confi'd to run with the admin account credentials. Services, software, explicit mapped drives or printers, Scheduled task.
Check credential Manager also to see if there is anything in there
All on your second DC
Check credential Manager also to see if there is anything in there
All on your second DC
ASKER
Nothing in Credential Manager and no services running as that account. The server also has no mapped drives or printers.
At this point I would personally be running Wireshark (or your preference of tool) to capture the packets to see what is passing the Admin Credentials
any scheduled tasks?
Windows Server 2008
Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
Capture.JPG