Administrator Account Locking Out

Hi Everyone,

We have found a developing problem in our mixed mode environment of Windows
2003 Servers and Windows 2000 servers. On both of my Windows 2000 servers, I
can watch using the ALTools from Microsoft, specifically the lockout status
tool, the Administrator account count up and lock out every few minutes.
This does not seem to affect performance of any of my system dramatically,
but I'm concerned why it is doing this.

I have looked in both the event logs, turned on netlogon logging, etc. but
can find no reason for it. Can someone point me in the correct direction for
finding a log that will show me where the source of the attempted login is
coming from?

Then I can possibly troubleshoot the cause...

Thanks in advance,
Ken

Paul
Thu May 08 05:38:53 PDT 2008

Here is my standard saved response, use it if there are parts you haven't
already tried.

Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ken Montgomery" <KenMontgomery@discussions.microsoft.com> wrote in message
news:0D2171CF-C48C-436D-AF5E-2BBC808E81CC@microsoft.com...
> Hi Everyone,
>
> We have found a developing problem in our mixed mode environment of
> Windows
> 2003 Servers and Windows 2000 servers. On both of my Windows 2000
> servers, I
> can watch using the ALTools from Microsoft, specifically the lockout
> status
> tool, the Administrator account count up and lock out every few minutes.
> This does not seem to affect performance of any of my system dramatically,
> but I'm concerned why it is doing this.
>
> I have looked in both the event logs, turned on netlogon logging, etc. but
> can find no reason for it. Can someone point me in the correct direction
> for
> finding a log that will show me where the source of the attempted login is
> coming from?
>
> Then I can possibly troubleshoot the cause...
>
> Thanks in advance,
> Ken

Meinolf
Thu May 08 05:42:44 PDT 2008

Hello Ken,

Can occur if you are using the account also for services and did not change
the password also on a service where it is used. By default the administrator
can not really lock out so it will be always unlocked after it is locked.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi Everyone,
>
> We have found a developing problem in our mixed mode environment of
> Windows 2003 Servers and Windows 2000 servers. On both of my Windows
> 2000 servers, I can watch using the ALTools from Microsoft,
> specifically the lockout status tool, the Administrator account count
> up and lock out every few minutes. This does not seem to affect
> performance of any of my system dramatically, but I'm concerned why it
> is doing this.
>
> I have looked in both the event logs, turned on netlogon logging, etc.
> but can find no reason for it. Can someone point me in the correct
> direction for finding a log that will show me where the source of the
> attempted login is coming from?
>
> Then I can possibly troubleshoot the cause...
>
> Thanks in advance, Ken
>

KenMontgomery
Thu May 08 06:37:00 PDT 2008

Paul,

I have followed KB109626 as you indicated, turned on logging for netlogon
service... I found one transitive logon with the error code: 0xC00006A, User
logon with misspelled or bad password for the administrator account but am
having trouble finding the source... is there some better way to find the
source?

Thanks, Ken


So I watch the Lockout


"Paul Bergson [MVP-DS]" wrote:

> Here is my standard saved response, use it if there are parts you haven't
> already tried.
>
> Is the account logged into more than one machine or is it running a service
> on the same machine? A user could have mapped drives to a resource from one
> machine, on a different machine he changes his password and then the first
> machine attempts to stay mapped to a drive and the password is no longer
> correct and eventually locks the user out. Or after a password is changed a
> service is running that attempts to authenticate with an old password.
>
> To help try and track down where the account is getting locked out use
> eventcombMT.exe from the Account Lockout tools found out Microsoft's
> website. Use the built in search AccountLockouts and search in the created
> text files for the user in question.
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>
>
> You can also set the debug flag on NetLogon to track authentication. "This
> creates a text file on the PDC that can be examined to determine which
> clients are generating the bad password attempts."
> http://support.microsoft.com/kb/189541
> http://support.microsoft.com/kb/109626
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Ken Montgomery" <KenMontgomery@discussions.microsoft.com> wrote in message
> news:0D2171CF-C48C-436D-AF5E-2BBC808E81CC@microsoft.com...
> > Hi Everyone,
> >
> > We have found a developing problem in our mixed mode environment of
> > Windows
> > 2003 Servers and Windows 2000 servers. On both of my Windows 2000
> > servers, I
> > can watch using the ALTools from Microsoft, specifically the lockout
> > status
> > tool, the Administrator account count up and lock out every few minutes.
> > This does not seem to affect performance of any of my system dramatically,
> > but I'm concerned why it is doing this.
> >
> > I have looked in both the event logs, turned on netlogon logging, etc. but
> > can find no reason for it. Can someone point me in the correct direction
> > for
> > finding a log that will show me where the source of the attempted login is
> > coming from?
> >
> > Then I can possibly troubleshoot the cause...
> >
> > Thanks in advance,
> > Ken
>
>
>

KenMontgomery
Thu May 08 06:43:00 PDT 2008

Thanks, what has alerted us to it is the addition of a second Exchange server
to our domain for unified messaging, it will not install properly because it
says the Administrator account is locked out... which led me to this.

The account lockout doesn't appear to be a service, all are seeming to use
the local system account... so I'm still looking.

"Meinolf Weber" wrote:

> Hello Ken,
>
> Can occur if you are using the account also for services and did not change
> the password also on a service where it is used. By default the administrator
> can not really lock out so it will be always unlocked after it is locked.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi Everyone,
> >
> > We have found a developing problem in our mixed mode environment of
> > Windows 2003 Servers and Windows 2000 servers. On both of my Windows
> > 2000 servers, I can watch using the ALTools from Microsoft,
> > specifically the lockout status tool, the Administrator account count
> > up and lock out every few minutes. This does not seem to affect
> > performance of any of my system dramatically, but I'm concerned why it
> > is doing this.
> >
> > I have looked in both the event logs, turned on netlogon logging, etc.
> > but can find no reason for it. Can someone point me in the correct
> > direction for finding a log that will show me where the source of the
> > attempted login is coming from?
> >
> > Then I can possibly troubleshoot the cause...
> >
> > Thanks in advance, Ken
> >
>
>
>

Paul
Thu May 08 07:29:25 PDT 2008

Only way I know how and I have always been successful using it

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Ken Montgomery" <KenMontgomery@discussions.microsoft.com> wrote in message
news:2DF90550-0D5E-495E-B5F5-3BDA799F8C3B@microsoft.com...
> Paul,
>
> I have followed KB109626 as you indicated, turned on logging for netlogon
> service... I found one transitive logon with the error code: 0xC00006A,
> User
> logon with misspelled or bad password for the administrator account but am
> having trouble finding the source... is there some better way to find the
> source?
>
> Thanks, Ken
>
>
> So I watch the Lockout
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Here is my standard saved response, use it if there are parts you haven't
>> already tried.
>>
>> Is the account logged into more than one machine or is it running a
>> service
>> on the same machine? A user could have mapped drives to a resource from
>> one
>> machine, on a different machine he changes his password and then the
>> first
>> machine attempts to stay mapped to a drive and the password is no longer
>> correct and eventually locks the user out. Or after a password is
>> changed a
>> service is running that attempts to authenticate with an old password.
>>
>> To help try and track down where the account is getting locked out use
>> eventcombMT.exe from the Account Lockout tools found out Microsoft's
>> website. Use the built in search AccountLockouts and search in the
>> created
>> text files for the user in question.
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>>
>>
>> You can also set the debug flag on NetLogon to track authentication.
>> "This
>> creates a text file on the PDC that can be examined to determine which
>> clients are generating the bad password attempts."
>> http://support.microsoft.com/kb/189541
>> http://support.microsoft.com/kb/109626
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Ken Montgomery" <KenMontgomery@discussions.microsoft.com> wrote in
>> message
>> news:0D2171CF-C48C-436D-AF5E-2BBC808E81CC@microsoft.com...
>> > Hi Everyone,
>> >
>> > We have found a developing problem in our mixed mode environment of
>> > Windows
>> > 2003 Servers and Windows 2000 servers. On both of my Windows 2000
>> > servers, I
>> > can watch using the ALTools from Microsoft, specifically the lockout
>> > status
>> > tool, the Administrator account count up and lock out every few
>> > minutes.
>> > This does not seem to affect performance of any of my system
>> > dramatically,
>> > but I'm concerned why it is doing this.
>> >
>> > I have looked in both the event logs, turned on netlogon logging, etc.
>> > but
>> > can find no reason for it. Can someone point me in the correct
>> > direction
>> > for
>> > finding a log that will show me where the source of the attempted login
>> > is
>> > coming from?
>> >
>> > Then I can possibly troubleshoot the cause...
>> >
>> > Thanks in advance,
>> > Ken
>>
>>
>>

KenMontgomery
Thu May 08 07:59:01 PDT 2008

I may have found a clue... any suggestions with this line from one of the
security logs?

675,AUDIT FAILURE,Security,Thu May 08 10:00:18 2008,NT
AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator
User ID: %{S-1-5-21-1482476501-412668190-725345543-500} Service Name:
krbtgt

It seems that the Kerebos service is trying to use something associated with
the Administrator account, or possibly our RADIUS server might be using it
somehow?

"Paul Bergson [MVP-DS]" wrote:

> Only way I know how and I have always been successful using it
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Ken Montgomery" <KenMontgomery@discussions.microsoft.com> wrote in message
> news:2DF90550-0D5E-495E-B5F5-3BDA799F8C3B@microsoft.com...
> > Paul,
> >
> > I have followed KB109626 as you indicated, turned on logging for netlogon
> > service... I found one transitive logon with the error code: 0xC00006A,
> > User
> > logon with misspelled or bad password for the administrator account but am
> > having trouble finding the source... is there some better way to find the
> > source?
> >
> > Thanks, Ken
> >
> >
> > So I watch the Lockout
> >
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> Here is my standard saved response, use it if there are parts you haven't
> >> already tried.
> >>
> >> Is the account logged into more than one machine or is it running a
> >> service
> >> on the same machine? A user could have mapped drives to a resource from
> >> one
> >> machine, on a different machine he changes his password and then the
> >> first
> >> machine attempts to stay mapped to a drive and the password is no longer
> >> correct and eventually locks the user out. Or after a password is
> >> changed a
> >> service is running that attempts to authenticate with an old password.
> >>
> >> To help try and track down where the account is getting locked out use
> >> eventcombMT.exe from the Account Lockout tools found out Microsoft's
> >> website. Use the built in search AccountLockouts and search in the
> >> created
> >> text files for the user in question.
> >>
> >> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
> >>
> >>
> >> You can also set the debug flag on NetLogon to track authentication.
> >> "This
> >> creates a text file on the PDC that can be examined to determine which
> >> clients are generating the bad password attempts."
> >> http://support.microsoft.com/kb/189541
> >> http://support.microsoft.com/kb/109626
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "Ken Montgomery" <KenMontgomery@discussions.microsoft.com> wrote in
> >> message
> >> news:0D2171CF-C48C-436D-AF5E-2BBC808E81CC@microsoft.com...
> >> > Hi Everyone,
> >> >
> >> > We have found a developing problem in our mixed mode environment of
> >> > Windows
> >> > 2003 Servers and Windows 2000 servers. On both of my Windows 2000
> >> > servers, I
> >> > can watch using the ALTools from Microsoft, specifically the lockout
> >> > status
> >> > tool, the Administrator account count up and lock out every few
> >> > minutes.
> >> > This does not seem to affect performance of any of my system
> >> > dramatically,
> >> > but I'm concerned why it is doing this.
> >> >
> >> > I have looked in both the event logs, turned on netlogon logging, etc.
> >> > but
> >> > can find no reason for it. Can someone point me in the correct
> >> > direction
> >> > for
> >> > finding a log that will show me where the source of the attempted login
> >> > is
> >> > coming from?
> >> >
> >> > Then I can possibly troubleshoot the cause...
> >> >
> >> > Thanks in advance,
> >> > Ken
> >>
> >>
> >>
>
>
>

KenMontgomery
Thu May 08 09:07:00 PDT 2008

I have found two packages that are causing problems. One is a service
appliance, that was easy to find, the other is ASP.NET which was not so easy
to find.

Still getting lockouts though... so something else is causing it.

"Ken Montgomery" wrote:

> I may have found a clue... any suggestions with this line from one of the
> security logs?
>
> 675,AUDIT FAILURE,Security,Thu May 08 10:00:18 2008,NT
> AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator
> User ID: %{S-1-5-21-1482476501-412668190-725345543-500} Service Name:
> krbtgt
>
> It seems that the Kerebos service is trying to use something associated with
> the Administrator account, or possibly our RADIUS server might be using it
> somehow?
>
> "Paul Bergson [MVP-DS]" wrote:
>
> > Only way I know how and I have always been successful using it
> >
> > --
> > Paul Bergson
> > MVP - Directory Services
> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> > 2008, 2003, 2000 (Early Achiever), NT4
> >
> > http://www.pbbergs.com
> >
> > Please no e-mails, any questions should be posted in the NewsGroup
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> > "Ken Montgomery" <KenMontgomery@discussions.microsoft.com> wrote in message
> > news:2DF90550-0D5E-495E-B5F5-3BDA799F8C3B@microsoft.com...
> > > Paul,
> > >
> > > I have followed KB109626 as you indicated, turned on logging for netlogon
> > > service... I found one transitive logon with the error code: 0xC00006A,
> > > User
> > > logon with misspelled or bad password for the administrator account but am
> > > having trouble finding the source... is there some better way to find the
> > > source?
> > >
> > > Thanks, Ken
> > >
> > >
> > > So I watch the Lockout
> > >
> > >
> > > "Paul Bergson [MVP-DS]" wrote:
> > >
> > >> Here is my standard saved response, use it if there are parts you haven't
> > >> already tried.
> > >>
> > >> Is the account logged into more than one machine or is it running a
> > >> service
> > >> on the same machine? A user could have mapped drives to a resource from
> > >> one
> > >> machine, on a different machine he changes his password and then the
> > >> first
> > >> machine attempts to stay mapped to a drive and the password is no longer
> > >> correct and eventually locks the user out. Or after a password is
> > >> changed a
> > >> service is running that attempts to authenticate with an old password.
> > >>
> > >> To help try and track down where the account is getting locked out use
> > >> eventcombMT.exe from the Account Lockout tools found out Microsoft's
> > >> website. Use the built in search AccountLockouts and search in the
> > >> created
> > >> text files for the user in question.
> > >>
> > >> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
> > >>
> > >>
> > >> You can also set the debug flag on NetLogon to track authentication.
> > >> "This
> > >> creates a text file on the PDC that can be examined to determine which
> > >> clients are generating the bad password attempts."
> > >> http://support.microsoft.com/kb/189541
> > >> http://support.microsoft.com/kb/109626
> > >>
> > >> --
> > >> Paul Bergson
> > >> MVP - Directory Services
> > >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> > >> 2008, 2003, 2000 (Early Achiever), NT4
> > >>
> > >> http://www.pbbergs.com
> > >>
> > >> Please no e-mails, any questions should be posted in the NewsGroup
> > >> This posting is provided "AS IS" with no warranties, and confers no
> > >> rights.
> > >>
> > >> "Ken Montgomery" <KenMontgomery@discussions.microsoft.com> wrote in
> > >> message
> > >> news:0D2171CF-C48C-436D-AF5E-2BBC808E81CC@microsoft.com...
> > >> > Hi Everyone,
> > >> >
> > >> > We have found a developing problem in our mixed mode environment of
> > >> > Windows
> > >> > 2003 Servers and Windows 2000 servers. On both of my Windows 2000
> > >> > servers, I
> > >> > can watch using the ALTools from Microsoft, specifically the lockout
> > >> > status
> > >> > tool, the Administrator account count up and lock out every few
> > >> > minutes.
> > >> > This does not seem to affect performance of any of my system
> > >> > dramatically,
> > >> > but I'm concerned why it is doing this.
> > >> >
> > >> > I have looked in both the event logs, turned on netlogon logging, etc.
> > >> > but
> > >> > can find no reason for it. Can someone point me in the correct
> > >> > direction
> > >> > for
> > >> > finding a log that will show me where the source of the attempted login
> > >> > is
> > >> > coming from?
> > >> >
> > >> > Then I can possibly troubleshoot the cause...
> > >> >
> > >> > Thanks in advance,
> > >> > Ken
> > >>
> > >>
> > >>
> >
> >
> >