Link to home
Start Free TrialLog in
Avatar of SooHow Cheng
SooHow ChengFlag for Singapore

asked on

Why these AD computer and user accounts locked out?

This is using MS Windows 2012R2 AD. Found that the server and domain user account were locked out suddenly. Please see the error message,

 Security ID:  S-1-5-18
 Account Name:  MAILSrv2$
 Account Domain:  WYN
 Logon ID:  0x3e7

Account That Was Locked Out:
 Security ID:  S-1-5-21-2396463283-3790571017-4125249057-1624
 Account Name:  administrator

Additional Information:
 Caller Computer Name: MAILSrv2
 09/24/2021 12:51:45 

Although both accounts can be reset and back to normal now, but they were locked out out of sudden?

Thanks in advantage

Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

if the caller computer is your mail server (exchange?) then i would look into that with everything exchange related last several months

is your server fully patched?
Avatar of CompProbSolv
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SooHow Cheng


Hi Seth Simmons,

This Mail used to be exchange server, however, since all mailbox been migrated to office365, all the exchange services were stopped.
Hi CompProbSolv,

Any way to trace for the possibility of password failures? through event viewer or so?
You may be able to use Netwrix's Account Examiner tool:

through event viewer or so?

seems you already did that with your pasted security log output
check for any scheduled tasks to run as administrator; maybe the password changed and the task tries to run with the old password?

and what "both accounts"?  your message only shows administrator
also, the SID referenced ends in 1624 which tells me it is a local account, not the domain administrator which would end in 500
Hi CompProbSolv,

You are right, found the gpo for password account lockout set for 3 failed attempts. 
Thanks for the advises, managed to find the password gpo that did the lockout.