Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.
administrator account lockout troubleshooting
I am stumped at what is causing administrator lockout, open to ideas/suggestions as to what is causing it. Our syslog alerts us when accounts are locked out after a certain amount of times. I turned on debugging (nltest /dbflag:0x2080ffff) and installed netwrix but I am unable to determine what is causing it.
Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks
Roles running on this system are AD, DNS, File services.
This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
Debug log says this is coming from this system yet there are no services that are set to logon as the domain administrator, no mapped drives, pretty sure it's none of these scheduled tasks
TaskName Next Run Time Status
======================================== ====================== ===============
Password expiration report 8/10/2016 7:30:11 AM Ready
Folder: \Microsoft
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready
Folder: \Microsoft\Windows\AppID
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter Disabled
VerifiedPublisherCertStoreCheck Disabled
Folder: \Microsoft\Windows\Application Experience
TaskName Next Run Time Status
======================================== ====================== ===============
AitAgent 8/9/2016 2:30:00 AM Ready
ProgramDataUpdater 8/9/2016 12:30:00 AM Ready
Folder: \Microsoft\Windows\Autochk
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
Folder: \Microsoft\Windows\CertificateServicesClient
TaskName Next Run Time Status
======================================== ====================== ===============
SystemTask N/A Ready
UserTask N/A Ready
UserTask-Roam Disabled
Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName Next Run Time Status
======================================== ====================== ===============
Consolidator 8/8/2016 6:00:00 PM Could not start
KernelCeipTask 8/11/2016 3:30:00 AM Ready
UsbCeip 8/11/2016 1:30:00 AM Ready
Folder: \Microsoft\Windows\Customer Experience Improvement Program\Server
TaskName Next Run Time Status
======================================== ====================== ===============
ServerCeipAssistant 8/9/2016 10:57:57 PM Could not start
ServerRoleCollector 8/11/2016 12:50:44 AM Ready
ServerRoleUsageCollector 8/9/2016 11:47:06 PM Could not start
Folder: \Microsoft\Windows\Defrag
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag 8/10/2016 1:42:31 AM Ready
Folder: \Microsoft\Windows\MemoryDiagnostic
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready
Folder: \Microsoft\Windows\MUI
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
Folder: \Microsoft\Windows\Multimedia
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled
Folder: \Microsoft\Windows\NetTrace
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
Folder: \Microsoft\Windows\PLA
TaskName Next Run Time Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem 8/16/2016 7:34:22 AM Ready
Folder: \Microsoft\Windows\RAC
TaskName Next Run Time Status
======================================== ====================== ===============
RacTask 8/8/2016 3:10:22 PM Ready
Folder: \Microsoft\Windows\Ras
TaskName Next Run Time Status
======================================== ====================== ===============
MobilityManager N/A Ready
Folder: \Microsoft\Windows\Registry
TaskName Next Run Time Status
======================================== ====================== ===============
RegIdleBackup 8/16/2016 12:16:17 AM Ready
Folder: \Microsoft\Windows\Server Manager
TaskName Next Run Time Status
======================================== ====================== ===============
ServerManager N/A Ready
Folder: \Microsoft\Windows\SoftwareProtectionPlatform
TaskName Next Run Time Status
======================================== ====================== ===============
SvcRestartTask Disabled
Folder: \Microsoft\Windows\Task Manager
TaskName Next Run Time Status
======================================== ====================== ===============
Interactive N/A Ready
Folder: \Microsoft\Windows\Tcpip
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready
Folder: \Microsoft\Windows\TextServicesFramework
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Running
Folder: \Microsoft\Windows\Time Synchronization
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTime 8/14/2016 1:00:00 AM Ready
Folder: \Microsoft\Windows\UPnP
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Ready
Folder: \Microsoft\Windows\User Profile Service
TaskName Next Run Time Status
======================================== ====================== ===============
HiveUploadTask Disabled
Folder: \Microsoft\Windows\WDI
TaskName Next Run Time Status
======================================== ====================== ===============
ResolutionHost N/A Ready
Folder: \Microsoft\Windows\Windows Error Reporting
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready
Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
Folder: \Microsoft\Windows\WindowsColorSystem
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled
Folder: \Microsoft\Windows\Wininet
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Running
Roles running on this system are AD, DNS, File services.
This is our domain controller event logs.
http://i.imgur.com/M9xvIO8.jpg
Asked:
Who is Participating?
Logged in as the domain administrator. Thought there was no local administrator account when it is running active directory?
stlhost, Well I kind of wondered how it could be possible, but thought I'd ask. There was a KB2549079 problem that had earmarks for what you are experiencing. It said that if you were logging on to look at the Scheduled Tasks history, with a local account that had the same name as your domain account, (administrator, and administrator) it would try and log you on with he domain account of that name. It came up, so I thought I'd ask.
stlhost, If it helps, your Event Log says that it is a bad password that is being used to try and log in on the administrator account:
C000006A user name is correct but the password is wrong
Maybe you had changed the password and some scheduled event still carries the old password etc.
C000006A user name is correct but the password is wrong
Maybe you had changed the password and some scheduled event still carries the old password etc.
The password was changed about a year ago. The account lockouts have always been an issue it's just getting worst as time goes by. So instead of a few events starting out, we're seeing up to 100 a day.
And actually when the alerts come to me from netwrix Ive noticed both domain controllers are showing up in the alerts not just one. If replication is failing would this cause it?
Who Changed domain\CTCDC2$
Where Changed ctcdc2.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC1$
Where Changed ctcdc1.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC2$
Where Changed ctcdc2.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Who Changed domain\CTCDC1$
Where Changed ctcdc1.domain
Object Name \local\domain\Users\Admini
Details User Account Locked Out
Before the time - a year ago when you changed the administrator password, were the errors still showing up?
I suppose that you have looked at something like Process Monitor and compare the times?
So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html and you cannot drill down to find a process that is triggering the event?
In an older 2008 entry I saw this:
jenkinsgroup
Expert Comment
on 2008-03-11 at 18:24:49ID: 21102246
To add to this question because this is where we ended up when we had a very similar problem.
Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"
Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________
Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.
Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.
I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
I suppose that you have looked at something like Process Monitor and compare the times?
So you have a netwrix tool https://www.netwrix.com/account_lockout_examiner.html and you cannot drill down to find a process that is triggering the event?
In an older 2008 entry I saw this:
jenkinsgroup
Expert Comment
on 2008-03-11 at 18:24:49ID: 21102246
To add to this question because this is where we ended up when we had a very similar problem.
Go into DHCP > Right click server (in our case the PDC emu was the only DHCP server) and go Properties > Advanced Tab > "DNS Dynamic updates registration credentials"
Check if this is referencing the old admin password. This was what was locking our admin account after a password change. Took us a month of constant lockouts before we stumbled upon it by accident.
___________ someone else actually reported that this comment helped them ________
Several people also suggested that you look at all of the services set up to logon with the admin credentials to see if one of them was trying to use the wrong (old ?) password.
Additionally, several people pointed to a time discrepancy between the servers. That would have something to do with Kerberos attempting and failing etc.
I know that these are just ideas that you have probably looked at before, but here they are just in case one may help.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month5 days, 9 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
Account Lockout and Management Tools
http://www.microsoft.com/en-us/download/details.aspx?id=18465
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
Please refer to below informative resources might helps you to get in detailed and lets you to resolve this issue:
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Trace the source of a bad password and account lockout in AD:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory
Hope this helps!