Domain Admin Account Lockout


We have a domain admin account on our Windows 2008 network used for applications such as backups, antivirus and the like that doesn't have a password expiration.  Well, this account keeps getting locked out and causing some obvious problems for us.  I am trying to pinpoint the exact source of this problem but could use a little troubleshooting help.  I think it is coming from a specific server, but just can't quite put my finger on the solution.  Please let me know if there is any further information I can provide.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
You can find this easily with ADlock out tool from Microsoft.

If you don't know, how to use it. I can tell you.

or you can run this command

psloglist.exe \\pdcservername security -i 4740,4767 -m 61 -s -accepteula >eventlog.txt

This will extract data into txt file and you can then find it. You can download PStools from MS:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cheesebugahAuthor Commented:
Is the greater than symbol just preceding eventlog.txt  needed in the command line you provided?
cheesebugahAuthor Commented:
That command, psloglist, is not a recognized command on my DC.  I suppose I need to download and install something?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

cheesebugahAuthor Commented:
Can I install AD Lockout tool on my workstation?
AmitIT ArchitectCommented:
You need to download pstool from MS. psloglist is part of that tool. Don't need to install it. It is exe runs without installation.

Both tool you can use from workstation, however you need to  have domain admin account to run it.
cheesebugahAuthor Commented:
Cool.  Thanks.
cheesebugahAuthor Commented:
Okay, the AD Lockout tool requires a reboot and needs to be placed on the culprit.  Not being 100% sure where the problem is coming from and the fact it requires a reboot, kind of rules this one out during production hours.  I'll download the PS Tools and see what that one offers.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Have you looked over your services for a service that was configured with the domain admin account?  Or scheduled tasks?  On your server or any other system?
AmitIT ArchitectCommented:
Read this

Try the command, that is much easier. I run same command every 30mins and extract it to txt file. Next day I sent one html report what all account locked out and from which server.
cheesebugahAuthor Commented:
The command is running and has been for about a half of an hour now?  I am going to stop it and run it against a different DC.  I think the first one is having issues.
cheesebugahAuthor Commented:
Man, this is taking forever.  Can you narrow down this search with a time period parameter?  I checked the Security log on the server and there are over 25 million logs in there.
AmitIT ArchitectCommented:
Whatever way you do it, you need to search the logs and it takes time to do it.
cheesebugahAuthor Commented:
The first pass on one of our DC's found nothing.  That doesn't seem right to me?  "No records in Security event log on Server."
cheesebugahAuthor Commented:
Okay, here is what I think has happened.  We recently changed our AD password complexity requirements and increased the number of characters required.  Do you think by changing the password complexity requirements the account has picked up on this?  I can still logon with the account and old password though?  I read somewhere if you change the complexity requirements, that this might cause problems for service accounts even though the "Password never expires" check box is checked.  Any thoughts?
cheesebugahAuthor Commented:
The second pass on the PDc found nothing also.
AmitIT ArchitectCommented:
Changing password complexity can cause this issue. You can create fined grained password policy for this account and assign it. Then check if you still faces same issue.
cheesebugahAuthor Commented:
So what do you mean by "create fined grained password policy for this account and assign it."  Am I creating a GP?  Can this be done on the account properties GUI?
AmitIT ArchitectCommented:
You can create it using adsiedit only. Watch this video
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.