Avatar of drgleockler
drgleocklerFlag for United States of America asked on

Account is locking out constantly

We have an admin account that has recently had the password changed. It is constantly being locked out since the password was changed but we can't find out why. I am a novice with log entries...
Windows Server 2008

Avatar of undefined
Last Comment
Sean

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
TunerML

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
drgleockler

No software is using the account that I know of. I used a lockout examiner and this is the information it gave me.
Capture.JPG
Sean

Make sure you don't have a service on the server trying to run as that account. That is what it looks like to me. Something is trying to log into the account and is not getting in. You may also want to check you event logs for failed login attempts
stu29

Check your Security log on the DC.  It will tell you a lot of info. Filter by failed Audits and start to check the failures for your Admin account.  

Things it could be .. services running under the Admin credentials, softwares doing the same, mail enabled software trying to send emails/alerts, Scheduled talks ...
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
stu29

First figure out which machine(s) the failures are coming from.
ASKER
drgleockler

Here is the security log info I found...help?
Capture2.JPG
stu29

Failure code 0x18 is Pre-auth failure with bad password for kerberos.

What machine does the IP Address belong to?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
drgleockler

our secondary domain controller.
Sean

Check services on that DC and make sure nothing is running as the admin account.
stu29

I would say you have something confi'd to run with the admin account credentials.  Services, software, explicit mapped drives or printers, Scheduled task.

Check credential Manager also to see if there is anything in there

All on your second DC
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
drgleockler

Nothing in Credential Manager and no services running as that account. The server also has no mapped drives or printers.
stu29

At this point I would personally be running Wireshark (or your preference of tool) to capture the packets to see what is passing the Admin Credentials
Sean

any scheduled tasks?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.