Solved

administrator account lockout troubleshooting

Posted on 2016-08-08
9
190 Views
Last Modified: 2016-08-12
I am stumped at what is causing administrator lockout, open to ideas/suggestions as to what is causing it. Our syslog alerts us when accounts are locked out after a certain amount of times. I turned on debugging (nltest /dbflag:0x2080ffff) and installed netwrix but I am unable to determine what is causing it.

Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks

TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Password expiration report               8/10/2016 7:30:11 AM   Ready

Folder: \Microsoft
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A                    Ready

Folder: \Microsoft\Windows\AppID
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
PolicyConverter                          Disabled
VerifiedPublisherCertStoreCheck          Disabled

Folder: \Microsoft\Windows\Application Experience
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
AitAgent                                 8/9/2016 2:30:00 AM    Ready
ProgramDataUpdater                       8/9/2016 12:30:00 AM   Ready

Folder: \Microsoft\Windows\Autochk
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Proxy                                    N/A                    Ready

Folder: \Microsoft\Windows\CertificateServicesClient
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SystemTask                               N/A                    Ready
UserTask                                 N/A                    Ready
UserTask-Roam                            Disabled

Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Consolidator                             8/8/2016 6:00:00 PM    Could not start
KernelCeipTask                           8/11/2016 3:30:00 AM   Ready
UsbCeip                                  8/11/2016 1:30:00 AM   Ready

Folder: \Microsoft\Windows\Customer Experience Improvement Program\Server
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ServerCeipAssistant                      8/9/2016 10:57:57 PM   Could not start
ServerRoleCollector                      8/11/2016 12:50:44 AM  Ready
ServerRoleUsageCollector                 8/9/2016 11:47:06 PM   Could not start

Folder: \Microsoft\Windows\Defrag
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ScheduledDefrag                          8/10/2016 1:42:31 AM   Ready

Folder: \Microsoft\Windows\MemoryDiagnostic
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CorruptionDetector                       N/A                    Ready
DecompressionFailureDetector             N/A                    Ready

Folder: \Microsoft\Windows\MUI
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
LPRemove                                 N/A                    Ready

Folder: \Microsoft\Windows\Multimedia
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SystemSoundsService                      Disabled

Folder: \Microsoft\Windows\NetTrace
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
GatherNetworkInfo                        N/A                    Ready

Folder: \Microsoft\Windows\PLA
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
AnalyzeSystem                            8/16/2016 7:34:22 AM   Ready

Folder: \Microsoft\Windows\RAC
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
RacTask                                  8/8/2016 3:10:22 PM    Ready

Folder: \Microsoft\Windows\Ras
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
MobilityManager                          N/A                    Ready

Folder: \Microsoft\Windows\Registry
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
RegIdleBackup                            8/16/2016 12:16:17 AM  Ready

Folder: \Microsoft\Windows\Server Manager
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ServerManager                            N/A                    Ready

Folder: \Microsoft\Windows\SoftwareProtectionPlatform
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SvcRestartTask                           Disabled

Folder: \Microsoft\Windows\Task Manager
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Interactive                              N/A                    Ready

Folder: \Microsoft\Windows\Tcpip
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
IpAddressConflict1                       N/A                    Ready
IpAddressConflict2                       N/A                    Ready

Folder: \Microsoft\Windows\TextServicesFramework
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
MsCtfMonitor                             N/A                    Running

Folder: \Microsoft\Windows\Time Synchronization
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SynchronizeTime                          8/14/2016 1:00:00 AM   Ready

Folder: \Microsoft\Windows\UPnP
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
UPnPHostConfig                           N/A                    Ready

Folder: \Microsoft\Windows\User Profile Service
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
HiveUploadTask                           Disabled

Folder: \Microsoft\Windows\WDI
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ResolutionHost                           N/A                    Ready

Folder: \Microsoft\Windows\Windows Error Reporting
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
QueueReporting                           N/A                    Ready

Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange              N/A                    Ready

Folder: \Microsoft\Windows\WindowsColorSystem
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Calibration Loader                       Disabled

Folder: \Microsoft\Windows\Wininet
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CacheTask                                N/A                    Running

Open in new window


Roles running on this system are AD, DNS, File services.

This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
0
Comment
Question by:stlhost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 3

Expert Comment

by:awed1
ID: 41747863
Are you logged on as  the local computer's administrator when you check the Scheduled Tasks history?
0
 
LVL 2

Author Comment

by:stlhost
ID: 41747866
Logged in as the domain administrator. Thought there was no local administrator account when it is running active directory?
0
 
LVL 3

Expert Comment

by:awed1
ID: 41747874
stlhost, Well I kind of wondered how it could be possible, but thought I'd ask. There was a KB2549079 problem that had earmarks for what you are experiencing. It said that if you were logging on to look at the Scheduled Tasks history, with a local account that had the same name as your domain account, (administrator, and administrator) it would try and log you on with he domain account of that name. It came up, so I thought I'd ask.
0
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

 
LVL 3

Expert Comment

by:awed1
ID: 41747891
stlhost, If it helps, your Event Log says that it is a bad password that is being used to try and log in on the administrator account:

C000006A user name is correct but the password is wrong
 
Maybe you had changed the password and some scheduled event still carries the old password etc.
0
 
LVL 2

Author Comment

by:stlhost
ID: 41747943
The password was changed about a year ago. The account lockouts have always been an issue it's just getting worst as time goes by. So instead of a few events starting out, we're seeing up to 100 a day.
0
 
LVL 2

Author Comment

by:stlhost
ID: 41747955
And actually when the alerts come to me from netwrix Ive noticed both domain controllers are showing up in the alerts not just one. If replication is failing would this cause it?

Who Changed      domain\CTCDC2$
Where Changed      ctcdc2.domain
Object Name      \local\domain\Users\Administrator
Details      User Account Locked Out

Who Changed      domain\CTCDC1$
Where Changed      ctcdc1.domain
Object Name      \local\domain\Users\Administrator
Details      User Account Locked Out
0
 
LVL 3

Expert Comment

by:awed1
ID: 41748044
Before the time - a year ago when you changed the administrator password, were the errors still showing up?

I suppose that you have looked at something like Process Monitor and compare the times?

So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html  and you cannot drill down to find a process that is triggering the event?

In an older 2008 entry I saw this:
 
jenkinsgroup
Expert Comment
 on 2008-03-11 at 18:24:49ID: 21102246

To add to this question because this is where we ended up when we had a very similar problem.

 Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"

 Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________

Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.

Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.

I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
0
 
LVL 14

Accepted Solution

by:
Ajit Singh earned 500 total points
ID: 41748583
Make sure that you have any services or application that runs with your domain account.It seems that IIS  is installed on DC and your domain account is configured.Check the configuration of IIS as this could be one of the case if configured.

Account Lockout and Management Tools
http://www.microsoft.com/en-us/download/details.aspx?id=18465

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

Please refer to below informative resources might helps you to get in detailed and lets you to resolve this issue:

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Trace the source of a bad password and account lockout in AD:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

Hope this helps!
0
 
LVL 2

Author Closing Comment

by:stlhost
ID: 41753844
I ended up turning on diagnostics for active directory but the events were still being generated from what appeared to be only the domain controllers. In the end I turned on group policy audit logging and this gave me extra info and it turned out to be the nessus scanner that was causing it.
1

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question