Account is locking out constantly

We have an admin account that has recently had the password changed. It is constantly being locked out since the password was changed but we can't find out why. I am a novice with log entries...
drgleocklerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TunerMLSystems EngineerCommented:
There could be some software still referencing the account with the previous password. Check to see which software may be using the account to access resources.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
drgleocklerAuthor Commented:
No software is using the account that I know of. I used a lockout examiner and this is the information it gave me.
Capture.JPG
0
SeanSystem EngineerCommented:
Make sure you don't have a service on the server trying to run as that account. That is what it looks like to me. Something is trying to log into the account and is not getting in. You may also want to check you event logs for failed login attempts
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

stu29Commented:
Check your Security log on the DC.  It will tell you a lot of info. Filter by failed Audits and start to check the failures for your Admin account.  

Things it could be .. services running under the Admin credentials, softwares doing the same, mail enabled software trying to send emails/alerts, Scheduled talks ...
0
stu29Commented:
First figure out which machine(s) the failures are coming from.
0
drgleocklerAuthor Commented:
Here is the security log info I found...help?
Capture2.JPG
0
stu29Commented:
Failure code 0x18 is Pre-auth failure with bad password for kerberos.

What machine does the IP Address belong to?
0
drgleocklerAuthor Commented:
our secondary domain controller.
0
SeanSystem EngineerCommented:
Check services on that DC and make sure nothing is running as the admin account.
0
stu29Commented:
I would say you have something confi'd to run with the admin account credentials.  Services, software, explicit mapped drives or printers, Scheduled task.

Check credential Manager also to see if there is anything in there

All on your second DC
0
drgleocklerAuthor Commented:
Nothing in Credential Manager and no services running as that account. The server also has no mapped drives or printers.
0
stu29Commented:
At this point I would personally be running Wireshark (or your preference of tool) to capture the packets to see what is passing the Admin Credentials
0
SeanSystem EngineerCommented:
any scheduled tasks?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.