asked on
DC Administrator account problem
Hello,
ENvironement :
HV: Windows 2016
VM: Windows 2016, single DC
Problem:
For an unknown reason domain administrator account is been locked very often. Regularly (sometime every day) I have to logon to the DC with another account (with admin rights) and go to AD to "unlock" administrator account.
I do not know why administrator account is regularly locked.
DO you have any idea what could be the problem?
THank you for your help
Regards
Gad Saadia
ENvironement :
HV: Windows 2016
VM: Windows 2016, single DC
Problem:
For an unknown reason domain administrator account is been locked very often. Regularly (sometime every day) I have to logon to the DC with another account (with admin rights) and go to AD to "unlock" administrator account.
I do not know why administrator account is regularly locked.
DO you have any idea what could be the problem?
THank you for your help
Regards
Gad Saadia
Windows OSActive Directory
Last Comment
Gad SAADIA
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Hi,
This may be happened due to replication issues If you have more than one DC.
Please check AD health and replication status if you have more than 1 DC.
Other reason is to cache old credentials in anywhere.
Simply you can follow up the steps given in below references and try to isolate the reason.
https://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Try to filter out lockout Windows security event 4740 for admin account. Then analyze the time. You will be able to get any idea about this behavior.
Read event 4740 as below and try to identify the source.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
This may be happened due to replication issues If you have more than one DC.
Please check AD health and replication status if you have more than 1 DC.
Other reason is to cache old credentials in anywhere.
Simply you can follow up the steps given in below references and try to isolate the reason.
https://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Try to filter out lockout Windows security event 4740 for admin account. Then analyze the time. You will be able to get any idea about this behavior.
Read event 4740 as below and try to identify the source.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
If the account is administrator, do you have your system exposed to the outside? By web, mail server, RDP?
Since you have a single DC, you can try and locate the source of the auth requests.
A clue as to what might be locking it is when it is locked, what issues are reported.?
Nirsoft if not mistaken has a lockout tool, but as noted single DC..
SHaun's siggestion or getting the aclock tool from MS that includes an eventmngmnt tool that will scour the events in the security log of the DC to identify the requests, failed, that lead to the lockout of the account.
How many people had access to the account.
Since you have a single DC, you can try and locate the source of the auth requests.
A clue as to what might be locking it is when it is locked, what issues are reported.?
Nirsoft if not mistaken has a lockout tool, but as noted single DC..
SHaun's siggestion or getting the aclock tool from MS that includes an eventmngmnt tool that will scour the events in the security log of the DC to identify the requests, failed, that lead to the lockout of the account.
How many people had access to the account.
ASKER
Hello to all. THank you for all your answers and suggestions. We will look to this problem in the following 2 /3 days and keep you informed. Thank you again. Regard
Gad
Gad
ASKER
thanks to all
ASKER
thanks to all
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html