INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Admin Account Lockout

Admin Account Lockout

(OP)
On our NT domain we have begun to experience the frequent (multiple times daily) lockout of out network administrator user.

Looking at the Security logs for Event ID's 644 it seems aparant that the source workstations are 3 different Server boxes within our LAN, this is happening randomly but multiple times a day.

Having searched around the three cuplrit servers we've eliminated the possibility that any drive mapping or services with the wrong credentials could be causing the issue - no one else can or will access these servers other than our 2 admins.

We temporarily renamed the admin account and  this stopped it from locking out.

Now then, to try and make a contingency for the weekend, so that backup jobs and [rocesses etc etc would cont inue to run over the weekend, we set the bad logon threshold to 600 (during thursday/friday we had no more than 20 instances of the lockout occuring, with corresponding Event 644's each time appearing in the logs).

Lo and behold this morning we found the admin account to be locked out, but strangely there was only 1 Event Id 644 in the log, from friday evening - where I would have expected to see 600 of them.

Again, within 90 mins of me unlocking the account again this morning we have had another lockout with only one 644 displaying in the log.

Anyone any ideas where to go with this?

RE: Admin Account Lockout

(OP)
my mistake - i shouldnt expect 600 instances of 644, my NT knowledge is a little rusty and I presumed these were bad logon attempts when they areof course lock out notifications.

Bottom line is were aparantly having 600 failed attempt within 90 mins when our network is at its least populated in terms of user's acitve (friday evening and pre 9am monday).

Cant seem to pinpoint the cause, only the source(s)

RE: Admin Account Lockout

Have you recently changed the admin password?
Are you running any services using that account?

At a guess I would say that you have a service running on these machines that has old credentials that's causing the lock outs.

As far as backups etc are concerned, you really should be using a dedicated backup user rather than the domain admin account.

I would start looking at your services and their corresponding service accounts.

Simon

The real world is not about exam scores, it's about ability.

 

RE: Admin Account Lockout

(OP)
One word.....Conflicker blllttt

RE: Admin Account Lockout

Wow... ummm ok.  

Simon

The real world is not about exam scores, it's about ability.

 

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close