Avatar of SooHow Cheng
SooHow ChengFlag for Singapore asked on

Why these AD computer and user accounts locked out?

This is using MS Windows 2012R2 AD. Found that the server and domain user account were locked out suddenly. Please see the error message,

Subject:
 Security ID:  S-1-5-18
 Account Name:  MAILSrv2$
 Account Domain:  WYN
 Logon ID:  0x3e7

Account That Was Locked Out:
 Security ID:  S-1-5-21-2396463283-3790571017-4125249057-1624
 Account Name:  administrator

Additional Information:
 Caller Computer Name: MAILSrv2
 09/24/2021 12:51:45 


Although both accounts can be reset and back to normal now, but they were locked out out of sudden?


Thanks in advantage


Windows OSWindows Server 2012SecurityActive Directory

Avatar of undefined
Last Comment
SooHow Cheng

8/22/2022 - Mon
Seth Simmons

if the caller computer is your mail server (exchange?) then i would look into that with everything exchange related last several months

is your server fully patched?
ASKER CERTIFIED SOLUTION
CompProbSolv

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
SooHow Cheng

Hi Seth Simmons,

This Mail used to be exchange server, however, since all mailbox been migrated to office365, all the exchange services were stopped.
ASKER
SooHow Cheng

Hi CompProbSolv,

Any way to trace for the possibility of password failures? through event viewer or so?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Jazz Marie Kaur

You may be able to use Netwrix's Account Examiner tool:
https://www.netwrix.com/account_lockout_examiner.html

Seth Simmons

through event viewer or so?

seems you already did that with your pasted security log output
check for any scheduled tasks to run as administrator; maybe the password changed and the task tries to run with the old password?

and what "both accounts"?  your message only shows administrator
also, the SID referenced ends in 1624 which tells me it is a local account, not the domain administrator which would end in 500
ASKER
SooHow Cheng

Hi CompProbSolv,

You are right, found the gpo for password account lockout set for 3 failed attempts. 
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
SooHow Cheng

Thanks for the advises, managed to find the password gpo that did the lockout.