Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
administrator account lockout troubleshooting
Posted on 2016-08-08
I am stumped at what is causing administrator lockout, open to ideas/suggestions as to what is causing it. Our syslog alerts us when accounts are locked out after a certain amount of times. I turned on debugging (nltest /dbflag:0x2080ffff) and installed netwrix but I am unable to determine what is causing it.
Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks
Roles running on this system are AD, DNS, File services.
This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks
TaskName Next Run Time Status
======================================== ====================== ===============
Password expiration report 8/10/2016 7:30:11 AM Ready
Folder: \Microsoft
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready
Folder: \Microsoft\Windows\AppID
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter Disabled
VerifiedPublisherCertStoreCheck Disabled
Folder: \Microsoft\Windows\Application Experience
TaskName Next Run Time Status
======================================== ====================== ===============
AitAgent 8/9/2016 2:30:00 AM Ready
ProgramDataUpdater 8/9/2016 12:30:00 AM Ready
Folder: \Microsoft\Windows\Autochk
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
Folder: \Microsoft\Windows\CertificateServicesClient
TaskName Next Run Time Status
======================================== ====================== ===============
SystemTask N/A Ready
UserTask N/A Ready
UserTask-Roam Disabled
Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 8/8/2016 6:00:00 PM Could not start
KernelCeipTask 8/11/2016 3:30:00 AM Ready
UsbCeip 8/11/2016 1:30:00 AM Ready
Folder: \Microsoft\Windows\Customer Experience Improvement Program\Server
TaskName Next Run Time Status
======================================== ====================== ===============
ServerCeipAssistant 8/9/2016 10:57:57 PM Could not start
ServerRoleCollector 8/11/2016 12:50:44 AM Ready
ServerRoleUsageCollector 8/9/2016 11:47:06 PM Could not start
Folder: \Microsoft\Windows\Defrag
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag 8/10/2016 1:42:31 AM Ready
Folder: \Microsoft\Windows\MemoryDiagnostic
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready
Folder: \Microsoft\Windows\MUI
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
Folder: \Microsoft\Windows\Multimedia
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled
Folder: \Microsoft\Windows\NetTrace
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
Folder: \Microsoft\Windows\PLA
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem 8/16/2016 7:34:22 AM Ready
Folder: \Microsoft\Windows\RAC
TaskName Next Run Time Status
======================================== ====================== ===============
RacTask 8/8/2016 3:10:22 PM Ready
Folder: \Microsoft\Windows\Ras
TaskName Next Run Time Status
======================================== ====================== ===============
MobilityManager N/A Ready
Folder: \Microsoft\Windows\Registry
TaskName Next Run Time Status
======================================== ====================== ===============
RegIdleBackup 8/16/2016 12:16:17 AM Ready
Folder: \Microsoft\Windows\Server Manager
TaskName Next Run Time Status
======================================== ====================== ===============
ServerManager N/A Ready
Folder: \Microsoft\Windows\SoftwareProtectionPlatform
TaskName Next Run Time Status
======================================== ====================== ===============
SvcRestartTask Disabled
Folder: \Microsoft\Windows\Task Manager
TaskName Next Run Time Status
======================================== ====================== ===============
Interactive N/A Ready
Folder: \Microsoft\Windows\Tcpip
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready
Folder: \Microsoft\Windows\TextServicesFramework
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Running
Folder: \Microsoft\Windows\Time Synchronization
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTime 8/14/2016 1:00:00 AM Ready
Folder: \Microsoft\Windows\UPnP
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Ready
Folder: \Microsoft\Windows\User Profile Service
TaskName Next Run Time Status
======================================== ====================== ===============
HiveUploadTask Disabled
Folder: \Microsoft\Windows\WDI
TaskName Next Run Time Status
======================================== ====================== ===============
ResolutionHost N/A Ready
Folder: \Microsoft\Windows\Windows Error Reporting
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready
Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
Folder: \Microsoft\Windows\WindowsColorSystem
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled
Folder: \Microsoft\Windows\Wininet
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Running
Roles running on this system are AD, DNS, File services.
This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
-
4
9 Comments
Logged in as the domain administrator. Thought there was no local administrator account when it is running active directory?
stlhost, Well I kind of wondered how it could be possible, but thought I'd ask. There was a KB2549079 problem that had earmarks for what you are experiencing. It said that if you were logging on to look at the Scheduled Tasks history, with a local account that had the same name as your domain account, (administrator, and administrator) it would try and log you on with he domain account of that name. It came up, so I thought I'd ask.
stlhost, If it helps, your Event Log says that it is a bad password that is being used to try and log in on the administrator account:
C000006A user name is correct but the password is wrong
Maybe you had changed the password and some scheduled event still carries the old password etc.
C000006A user name is correct but the password is wrong
Maybe you had changed the password and some scheduled event still carries the old password etc.
The password was changed about a year ago. The account lockouts have always been an issue it's just getting worst as time goes by. So instead of a few events starting out, we're seeing up to 100 a day.
And actually when the alerts come to me from netwrix Ive noticed both domain controllers are showing up in the alerts not just one. If replication is failing would this cause it?
Who Changed domain\CTCDC2$
Where Changed ctcdc2.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC1$
Where Changed ctcdc1.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC2$
Where Changed ctcdc2.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC1$
Where Changed ctcdc1.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Before the time - a year ago when you changed the administrator password, were the errors still showing up?
I suppose that you have looked at something like Process Monitor and compare the times?
So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html and you cannot drill down to find a process that is triggering the event?
In an older 2008 entry I saw this:
jenkinsgroup
Expert Comment
on 2008-03-11 at 18:24:49ID: 21102246
To add to this question because this is where we ended up when we had a very similar problem.
Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"
Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________
Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.
Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.
I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
I suppose that you have looked at something like Process Monitor and compare the times?
So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html and you cannot drill down to find a process that is triggering the event?
In an older 2008 entry I saw this:
jenkinsgroup
Expert Comment
on 2008-03-11 at 18:24:49ID: 21102246
To add to this question because this is where we ended up when we had a very similar problem.
Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"
Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________
Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.
Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.
I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
Active today
Make sure that you have any services or application that runs with your domain account.It seems that IIS is installed on DC and your domain account is configured.Check the configuration of IIS as this could be one of the case if configured.
Account Lockout and Management Tools
http://www.microsoft.com/en-us/download/details.aspx?id=18465
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
Please refer to below informative resources might helps you to get in detailed and lets you to resolve this issue:
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Trace the source of a bad password and account lockout in AD:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory
Hope this helps!
Account Lockout and Management Tools
http://www.microsoft.com/en-us/download/details.aspx?id=18465
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
Please refer to below informative resources might helps you to get in detailed and lets you to resolve this issue:
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Trace the source of a bad password and account lockout in AD:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory
Hope this helps!
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data. Here's one method to prevent data theft via USB drives (and writable optical media).
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention.
Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten.
The USB drive must be s…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month3 days, 15 hours left to enroll
630 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.