R W
asked on
administrator account lockout troubleshooting
I am stumped at what is causing administrator lockout, open to ideas/suggestions as to what is causing it. Our syslog alerts us when accounts are locked out after a certain amount of times. I turned on debugging (nltest /dbflag:0x2080ffff) and installed netwrix but I am unable to determine what is causing it.
Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks
Roles running on this system are AD, DNS, File services.
This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks
TaskName Next Run Time Status
======================================== ====================== ===============
Password expiration report 8/10/2016 7:30:11 AM Ready
Folder: \Microsoft
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready
Folder: \Microsoft\Windows\AppID
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter Disabled
VerifiedPublisherCertStoreCheck Disabled
Folder: \Microsoft\Windows\Application Experience
TaskName Next Run Time Status
======================================== ====================== ===============
AitAgent 8/9/2016 2:30:00 AM Ready
ProgramDataUpdater 8/9/2016 12:30:00 AM Ready
Folder: \Microsoft\Windows\Autochk
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
Folder: \Microsoft\Windows\CertificateServicesClient
TaskName Next Run Time Status
======================================== ====================== ===============
SystemTask N/A Ready
UserTask N/A Ready
UserTask-Roam Disabled
Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 8/8/2016 6:00:00 PM Could not start
KernelCeipTask 8/11/2016 3:30:00 AM Ready
UsbCeip 8/11/2016 1:30:00 AM Ready
Folder: \Microsoft\Windows\Customer Experience Improvement Program\Server
TaskName Next Run Time Status
======================================== ====================== ===============
ServerCeipAssistant 8/9/2016 10:57:57 PM Could not start
ServerRoleCollector 8/11/2016 12:50:44 AM Ready
ServerRoleUsageCollector 8/9/2016 11:47:06 PM Could not start
Folder: \Microsoft\Windows\Defrag
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag 8/10/2016 1:42:31 AM Ready
Folder: \Microsoft\Windows\MemoryDiagnostic
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready
Folder: \Microsoft\Windows\MUI
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
Folder: \Microsoft\Windows\Multimedia
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled
Folder: \Microsoft\Windows\NetTrace
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
Folder: \Microsoft\Windows\PLA
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem 8/16/2016 7:34:22 AM Ready
Folder: \Microsoft\Windows\RAC
TaskName Next Run Time Status
======================================== ====================== ===============
RacTask 8/8/2016 3:10:22 PM Ready
Folder: \Microsoft\Windows\Ras
TaskName Next Run Time Status
======================================== ====================== ===============
MobilityManager N/A Ready
Folder: \Microsoft\Windows\Registry
TaskName Next Run Time Status
======================================== ====================== ===============
RegIdleBackup 8/16/2016 12:16:17 AM Ready
Folder: \Microsoft\Windows\Server Manager
TaskName Next Run Time Status
======================================== ====================== ===============
ServerManager N/A Ready
Folder: \Microsoft\Windows\SoftwareProtectionPlatform
TaskName Next Run Time Status
======================================== ====================== ===============
SvcRestartTask Disabled
Folder: \Microsoft\Windows\Task Manager
TaskName Next Run Time Status
======================================== ====================== ===============
Interactive N/A Ready
Folder: \Microsoft\Windows\Tcpip
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready
Folder: \Microsoft\Windows\TextServicesFramework
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Running
Folder: \Microsoft\Windows\Time Synchronization
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTime 8/14/2016 1:00:00 AM Ready
Folder: \Microsoft\Windows\UPnP
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Ready
Folder: \Microsoft\Windows\User Profile Service
TaskName Next Run Time Status
======================================== ====================== ===============
HiveUploadTask Disabled
Folder: \Microsoft\Windows\WDI
TaskName Next Run Time Status
======================================== ====================== ===============
ResolutionHost N/A Ready
Folder: \Microsoft\Windows\Windows Error Reporting
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready
Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
Folder: \Microsoft\Windows\WindowsColorSystem
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled
Folder: \Microsoft\Windows\Wininet
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Running
Roles running on this system are AD, DNS, File services.
This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
Are you logged on as the local computer's administrator when you check the Scheduled Tasks history?
ASKER
Logged in as the domain administrator. Thought there was no local administrator account when it is running active directory?
stlhost, Well I kind of wondered how it could be possible, but thought I'd ask. There was a KB2549079 problem that had earmarks for what you are experiencing. It said that if you were logging on to look at the Scheduled Tasks history, with a local account that had the same name as your domain account, (administrator, and administrator) it would try and log you on with he domain account of that name. It came up, so I thought I'd ask.
stlhost, If it helps, your Event Log says that it is a bad password that is being used to try and log in on the administrator account:
C000006A user name is correct but the password is wrong
Maybe you had changed the password and some scheduled event still carries the old password etc.
C000006A user name is correct but the password is wrong
Maybe you had changed the password and some scheduled event still carries the old password etc.
ASKER
The password was changed about a year ago. The account lockouts have always been an issue it's just getting worst as time goes by. So instead of a few events starting out, we're seeing up to 100 a day.
ASKER
And actually when the alerts come to me from netwrix Ive noticed both domain controllers are showing up in the alerts not just one. If replication is failing would this cause it?
Who Changed domain\CTCDC2$
Where Changed ctcdc2.domain
Object Name \local\domain\Users\Admini strator
Details User Account Locked Out
Who Changed domain\CTCDC1$
Where Changed ctcdc1.domain
Object Name \local\domain\Users\Admini strator
Details User Account Locked Out
Who Changed domain\CTCDC2$
Where Changed ctcdc2.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC1$
Where Changed ctcdc1.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Before the time - a year ago when you changed the administrator password, were the errors still showing up?
I suppose that you have looked at something like Process Monitor and compare the times?
So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html and you cannot drill down to find a process that is triggering the event?
In an older 2008 entry I saw this:
jenkinsgroup
Expert Comment
on 2008-03-11 at 18:24:49ID: 21102246
To add to this question because this is where we ended up when we had a very similar problem.
Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"
Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________
Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.
Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.
I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
I suppose that you have looked at something like Process Monitor and compare the times?
So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html and you cannot drill down to find a process that is triggering the event?
In an older 2008 entry I saw this:
jenkinsgroup
Expert Comment
on 2008-03-11 at 18:24:49ID: 21102246
To add to this question because this is where we ended up when we had a very similar problem.
Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"
Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________
Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.
Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.
I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ended up turning on diagnostics for active directory but the events were still being generated from what appeared to be only the domain controllers. In the end I turned on group policy audit logging and this gave me extra info and it turned out to be the nessus scanner that was causing it.