Bot-PC Being Locked Out

Connecting to our Windows 2008 R2 terminal server, we have a Bot-PC dedicated to running scheduled tasks.
Every hour it boots itself and starts its one-hour cycle of tasks.
I tweaked the PC registry for its auto-login to the domain.
It then has a shortcut in the Startup folder than triggers an RDP session.

It seems that ever since I changed our admin password that it keeps being locked out by the system.
Of course, that  could be a coincidence.
I have to go to AD and Unlock the account a few times per day.
Maybe it's every hour, I've only just today started checking hourly.

I’m not sure what logs to look at or where to check first?
All tasks seem to be working, so I don't think I missed any credentials (as soon as I unlock the account all tasks work, including the RDP shortcut).
S.
slamondAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael PfisterCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael PfisterCommented:
Check all the scheduled tasks and scripts it starts via auto start if it contains username/password. Sysinternals Autoruns is a good tool to check all possibilities an autostart script/program could have been hidden.
0
btanExec ConsultantCommented:
Check for hardcoded admin password as such manual changes can cause unintentional lockout. I am thinking if you referring to local or domain admin but should be domain admin since you saw that lockout from concerned machine.

 Suggest looking at the event log to verify the details of the machine and user.  The eventid 644 or 4740 will indicated user account was locked out after repeated logon failures due to a bad password.  

The following tools are useful to help you to isolate and troubleshoot lockout issues from AD and client end.

http://www.microsoft.com/en-us/download/details.aspx?id=18465
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

slamondAuthor Commented:
To mpfister, I installed and ran EventCombMT with your document link's settings. I selected a limited time range of about an hour during which a new lockout occurred at least once.
I couldn't decipher anything from reading the logs so I attached them.
EventCombMT.txt
BORDENSRV-Security_LOG.txt
0
btanExec ConsultantCommented:
Looks like from the Logon Type 4, it is a batch job that executes a scheduled task. Possibilities to generate a logon failure event includes
-  attempts for guess the password of an account through scheduled tasks. This task may also be using accounts on a (or to map to a) file share serve that failed.
- administrator entering the wrong password for the account at the time of task creation or from the password of an account being changed without modifying the scheduled task to use the new password.
Disable all scheduled task to see if any error and may be some other program running too. Other shared
This Event is usually caused by a stale hidden credential. Try this from the system giving the error:

From a command prompt run: psexec -i -s -d cmd.exe

From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr

Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.
0
slamondAuthor Commented:
btan,
Assuming you wanted this run on the terminal server, I'm getting "psexec is not a recognized command".
S.
0
slamondAuthor Commented:
I also installed alockout.dll and ran appinit.reg on both the BOT-PC and the terminal server and boot both last night. Today, after multiple locks, there is still not Alockout.log file being created. Notable, no winnt\debug directory exists on either machine, so I assumed to look in windows\debug but found no log files. I'm now wondering if I was supposed to install this tool on the server where Active Directory is running?
0
btanExec ConsultantCommented:
Psexec is a standalone exe which you can find in sysinternal..for the lockout tool you need to have it in the AD.
https://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
0
slamondAuthor Commented:
I just went through every task on every server and then remembered that our old mail server is still online. I found a group of tasks being run by user Robot. I deleted them all. They had likely been running with valid credentials before the recent password change but were not executing anything since the target files had been moved. I won't be sure of this being the fix until we cycle through several hours without any locking. I'll be back.
0
slamondAuthor Commented:
That was the fix. Now to award points. The last time I tried to spread the wealth the moderator gave me crap for arbitrarily, in their opinion, awarding points, even though I clearly stated the fix was mine but with guidance. To avoid the crap, I'm going back and awarding all points to the first person to mention old tasks/bad passwords. Thanks to all.
S.
0
slamondAuthor Commented:
In the end, I reentered every password on all tasks being executed by the user being locked out. Ultimately the offending tasks were on an old mail server that I had forgotten was still online.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.