We help IT Professionals succeed at work.

Windows Server - Security Event Logs - Domains Administrator account lock out / unlock

I've searched the internet and I still don't understand what it means when NCA\ANONYMOUS LOGON locks and/or unlocks the domain administrator account.
Below is an extract from the event viewer in an easy to read format. Can anyone explain the best way to determine if it is an intrusion attempt or a process, application or service causing this?

An event has occurred in which you are on the notification list.
Time Stamp: 10/23/2019 11:56:45 PM
Perpetrator: CN=Anonymous Logon,CN=WellKnown Security Principals,CN=Configuration,DC=***,DC=local
Perpetrator Name: ***\ANONYMOUS LOGON
Event Source Type: Active Directory
Domain Name: ***
Policy Name: AD: User Account Lockouts
Event Name: Object Modified
Event Name Translated: Account unlocked
Originating Server: ***\***-DC01
Originating Server IP:   *.*.*.10
Target Host: n/a
Target Host IP: n/a
Class Name: user
DN: CN=Administrator,CN=Users,DC=***,DC=local
Affected Object SID: S-1-5-21-3359379490-2354048252-4260778802-500
Affected Object Account Name: ***\administrator
Operation Successful: True
Operation Status: Success
Blocked Event: False
Perpetrator Sid: S-1-5-7
Originating Client: AUTH:***-DC01
Originating Client Host: ***-DC01.****.LOCAL
Originating Client IP: x.x.x.10
Originating Client Protocol: AUTH
Originating Client MAC: **:**:**:**:**:FF
Events Count: 1

Open in new window

Thanks in advance.

David
Comment
Watch Question

Distinguished Expert 2019
Commented:
The event seems to indicate a scheduled account unlock.
I.e. You have an account lockout policy after 5 attempts the account gets locked. After 30 minutes the account gets unlocked.

The event in question appears to be the time has lapsed and the account I being unlocked.
Usually, you would look or the failed logon attempt of the user and the lock events
To determine the source of the requests that lead to the account being locked.

The attempts  to login guess the password could be seen as an instruction
Hello,

The built-in Administrator account never lock down and the SID show that is the buil-in account. So if you have a lock-down policy it will lock/unlock an it is normal. What isn't normal is why it will be locking.
First the bult-in account should be keept disabled (you should perform the admin task using another account) if not your domain is vulnerable at brute force.
Seccond, you should look in the same log for wrong password attemps and isolate the cause. It can be an service that try to log on at administrator and you forget to change the password, or a brute force attack. Anyway you should do the first option, then solve the seccond one.

Dan
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2019

Commented:
You exposing DC to web via RDP? Windows Firewall enabled? The FW rules for DC is automatically configured

Also look at NTLM section in my article
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html?searchNotTop10=true
David ZacharczykNetwork & Systems Engineer

Author

Commented:
@arnold,
Thank you for clarifying that. It makes a lot of sense.

@dan_blagut
Thank you for your reply.

@Shaun Vermaak
Thank you for your reply. The DC is not public-facing. The windows firewall is enabled. Failed login attempts are most likely a service that is configured to use the administrator account that was not updated with the administrator password change. I was just concerned because I've never seen an unlock event for the administrator password.

We have some other failed logon attempts that I need help with but I will review Shaun's NTLM article and open a separate thread for that if necessary.  

Thank you for your help!
David ZacharczykNetwork & Systems Engineer

Author

Commented:
Thank you for helping me out!