If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.
Solved
administrator account lockout troubleshooting
Posted on 2016-08-08
I am stumped at what is causing administrator lockout, open to ideas/suggestions as to what is causing it. Our syslog alerts us when accounts are locked out after a certain amount of times. I turned on debugging (nltest /dbflag:0x2080ffff) and installed netwrix but I am unable to determine what is causing it.
Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks
Roles running on this system are AD, DNS, File services.
This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks
TaskName Next Run Time Status
======================================== ====================== ===============
Password expiration report 8/10/2016 7:30:11 AM Ready
Folder: \Microsoft
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready
Folder: \Microsoft\Windows\AppID
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter Disabled
VerifiedPublisherCertStoreCheck Disabled
Folder: \Microsoft\Windows\Application Experience
TaskName Next Run Time Status
======================================== ====================== ===============
AitAgent 8/9/2016 2:30:00 AM Ready
ProgramDataUpdater 8/9/2016 12:30:00 AM Ready
Folder: \Microsoft\Windows\Autochk
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
Folder: \Microsoft\Windows\CertificateServicesClient
TaskName Next Run Time Status
======================================== ====================== ===============
SystemTask N/A Ready
UserTask N/A Ready
UserTask-Roam Disabled
Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 8/8/2016 6:00:00 PM Could not start
KernelCeipTask 8/11/2016 3:30:00 AM Ready
UsbCeip 8/11/2016 1:30:00 AM Ready
Folder: \Microsoft\Windows\Customer Experience Improvement Program\Server
TaskName Next Run Time Status
======================================== ====================== ===============
ServerCeipAssistant 8/9/2016 10:57:57 PM Could not start
ServerRoleCollector 8/11/2016 12:50:44 AM Ready
ServerRoleUsageCollector 8/9/2016 11:47:06 PM Could not start
Folder: \Microsoft\Windows\Defrag
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag 8/10/2016 1:42:31 AM Ready
Folder: \Microsoft\Windows\MemoryDiagnostic
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready
Folder: \Microsoft\Windows\MUI
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
Folder: \Microsoft\Windows\Multimedia
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled
Folder: \Microsoft\Windows\NetTrace
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
Folder: \Microsoft\Windows\PLA
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem 8/16/2016 7:34:22 AM Ready
Folder: \Microsoft\Windows\RAC
TaskName Next Run Time Status
======================================== ====================== ===============
RacTask 8/8/2016 3:10:22 PM Ready
Folder: \Microsoft\Windows\Ras
TaskName Next Run Time Status
======================================== ====================== ===============
MobilityManager N/A Ready
Folder: \Microsoft\Windows\Registry
TaskName Next Run Time Status
======================================== ====================== ===============
RegIdleBackup 8/16/2016 12:16:17 AM Ready
Folder: \Microsoft\Windows\Server Manager
TaskName Next Run Time Status
======================================== ====================== ===============
ServerManager N/A Ready
Folder: \Microsoft\Windows\SoftwareProtectionPlatform
TaskName Next Run Time Status
======================================== ====================== ===============
SvcRestartTask Disabled
Folder: \Microsoft\Windows\Task Manager
TaskName Next Run Time Status
======================================== ====================== ===============
Interactive N/A Ready
Folder: \Microsoft\Windows\Tcpip
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready
Folder: \Microsoft\Windows\TextServicesFramework
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Running
Folder: \Microsoft\Windows\Time Synchronization
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTime 8/14/2016 1:00:00 AM Ready
Folder: \Microsoft\Windows\UPnP
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Ready
Folder: \Microsoft\Windows\User Profile Service
TaskName Next Run Time Status
======================================== ====================== ===============
HiveUploadTask Disabled
Folder: \Microsoft\Windows\WDI
TaskName Next Run Time Status
======================================== ====================== ===============
ResolutionHost N/A Ready
Folder: \Microsoft\Windows\Windows Error Reporting
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready
Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
Folder: \Microsoft\Windows\WindowsColorSystem
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled
Folder: \Microsoft\Windows\Wininet
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Running
Roles running on this system are AD, DNS, File services.
This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
-
4
9 Comments
Active 7 days ago
Are you logged on as the local computer's administrator when you check the Scheduled Tasks history?
Active 6 days ago
Logged in as the domain administrator. Thought there was no local administrator account when it is running active directory?
Active 7 days ago
stlhost, Well I kind of wondered how it could be possible, but thought I'd ask. There was a KB2549079 problem that had earmarks for what you are experiencing. It said that if you were logging on to look at the Scheduled Tasks history, with a local account that had the same name as your domain account, (administrator, and administrator) it would try and log you on with he domain account of that name. It came up, so I thought I'd ask.
Active 7 days ago
stlhost, If it helps, your Event Log says that it is a bad password that is being used to try and log in on the administrator account:
C000006A user name is correct but the password is wrong
Maybe you had changed the password and some scheduled event still carries the old password etc.
C000006A user name is correct but the password is wrong
Maybe you had changed the password and some scheduled event still carries the old password etc.
Active 6 days ago
The password was changed about a year ago. The account lockouts have always been an issue it's just getting worst as time goes by. So instead of a few events starting out, we're seeing up to 100 a day.
Active 6 days ago
And actually when the alerts come to me from netwrix Ive noticed both domain controllers are showing up in the alerts not just one. If replication is failing would this cause it?
Who Changed domain\CTCDC2$
Where Changed ctcdc2.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC1$
Where Changed ctcdc1.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC2$
Where Changed ctcdc2.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC1$
Where Changed ctcdc1.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Active 7 days ago
Before the time - a year ago when you changed the administrator password, were the errors still showing up?
I suppose that you have looked at something like Process Monitor and compare the times?
So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html and you cannot drill down to find a process that is triggering the event?
In an older 2008 entry I saw this:
jenkinsgroup
Expert Comment
on 2008-03-11 at 18:24:49ID: 21102246
To add to this question because this is where we ended up when we had a very similar problem.
Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"
Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________
Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.

Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.
I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
I suppose that you have looked at something like Process Monitor and compare the times?
So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html and you cannot drill down to find a process that is triggering the event?
In an older 2008 entry I saw this:
jenkinsgroup
Expert Comment
on 2008-03-11 at 18:24:49ID: 21102246
To add to this question because this is where we ended up when we had a very similar problem.
Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"
Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________
Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.

Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.
I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
Active today
Make sure that you have any services or application that runs with your domain account.It seems that IIS is installed on DC and your domain account is configured.Check the configuration of IIS as this could be one of the case if configured.
Account Lockout and Management Tools
http://www.microsoft.com/en-us/download/details.aspx?id=18465
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
Please refer to below informative resources might helps you to get in detailed and lets you to resolve this issue:
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Trace the source of a bad password and account lockout in AD:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory
Hope this helps!
Account Lockout and Management Tools
http://www.microsoft.com/en-us/download/details.aspx?id=18465
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
Please refer to below informative resources might helps you to get in detailed and lets you to resolve this issue:
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Trace the source of a bad password and account lockout in AD:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory
Hope this helps!
Active 6 days ago
I ended up turning on diagnostics for active directory but the events were still being generated from what appeared to be only the domain controllers. In the end I turned on group policy audit logging and this gave me extra info and it turned out to be the nessus scanner that was causing it.
Featured Post
Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial hows how you can integrate Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease.
The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month9 days, 9 hours left to enroll
722 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.