Hourly event locking account?

Tutorials Win: Microsoft Windows Forum

Ever since we changed all passwords in our 2003 AD we've tracked down all
the dependant services except one.

According to the event logs a specific Domain Admin account is locked, every
hour at the exact same minute and the source "Caller Machine Name" is always
the same Windows Server 2003 SP2 Domain Controller at a remote location. The
minute value on which this locked-account event repeats will only change
when we reboot the server. i.e., at the moment it's happening every hour at
43 minutes past the hour, but before we did a series of reboots trying to
troubleshoot this the account would get locked at every 18 minutes after the
hour.

This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
I've confirmed the only Internet connection allowed is outgoing UDP port 53.

This DC is an HP DL380 G3 will all the latest HP firmware and software
management updates as of last week and we are current on all Microsoft "High
Priority" updates.

On this specific DC in Computer Management I looked at the Services by
sorting by Log On As and found all services are set to logon as Local System
or Network Service. None are configured for a specific AD account. So I
believe the problem is not here.

I did a search of the registry for the AD account name and found numerous
entries but they were exclusively related to that account performing Windows
updates a few weeks ago. However the account password did change since those
updates were done, so that has me wondering if that has anything to do with
it.

I even went so far as to delete the profiles and all folders I could find
that were created by that account. And I uninstalled many applications which
were unnecessary to the functions of this server, and even uninstalled and
reinstalled some of the apps we did need. Later I logged on again as the
account and let it create a new profile hoping the DC would somehow
recognize the new password. And of course rebooted numerous times.

I also used Task Manager to watch all the processes "by all users" while the
event happened as the account was locked at 43 minutes past the hour, hoping
to hit the PrintScreen button the moment it appears. It never appeared.

I changed the Audit Polices to give more detailed information for security
event logging: Default Domain Policy | Computer Configuration | Windows
Settings | Security Settings | Local Policies | Audit Policies | set to
check for Success and Failures on all nine of the items in this subset. But
this did not prove any additional information that was useful.

I am considering changing the password back to what it had been to see if
the problem goes away, however since then we've implemented password
complexity so now that password is not allowed. So I would have to turn off
the password complexity again. And of course change that password everywhere
else it is used. Phew.

Please let me know if you know where else to look because at the moment I am
out of ideas.

Thanks!
-Bob
Top

Re: Hourly event locking account? by Don

Don
Thu Mar 27 12:30:15 PDT 2008

What make you sure the process using the account is actually on the DC. It
could be a scheduled event running elsewhere but authenticating to this
controller. Check other machines in the same AD site.

--
Hope it helps!

dw

----------------------------------------------
Don Wilwol
www.atthedatacenter.com



"just bob" <kilbyfan@aoldotcom> wrote in message
news:13unoge8t81850c@news.supernews.com...
> Ever since we changed all passwords in our 2003 AD we've tracked down all
> the dependant services except one.
>
> According to the event logs a specific Domain Admin account is locked,
> every hour at the exact same minute and the source "Caller Machine Name"
> is always the same Windows Server 2003 SP2 Domain Controller at a remote
> location. The minute value on which this locked-account event repeats will
> only change when we reboot the server. i.e., at the moment it's happening
> every hour at 43 minutes past the hour, but before we did a series of
> reboots trying to troubleshoot this the account would get locked at every
> 18 minutes after the hour.
>
> This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
> I've confirmed the only Internet connection allowed is outgoing UDP port
> 53.
>
> This DC is an HP DL380 G3 will all the latest HP firmware and software
> management updates as of last week and we are current on all Microsoft
> "High Priority" updates.
>
> On this specific DC in Computer Management I looked at the Services by
> sorting by Log On As and found all services are set to logon as Local
> System or Network Service. None are configured for a specific AD account.
> So I believe the problem is not here.
>
> I did a search of the registry for the AD account name and found numerous
> entries but they were exclusively related to that account performing
> Windows updates a few weeks ago. However the account password did change
> since those updates were done, so that has me wondering if that has
> anything to do with it.
>
> I even went so far as to delete the profiles and all folders I could find
> that were created by that account. And I uninstalled many applications
> which were unnecessary to the functions of this server, and even
> uninstalled and reinstalled some of the apps we did need. Later I logged
> on again as the account and let it create a new profile hoping the DC
> would somehow recognize the new password. And of course rebooted numerous
> times.
>
> I also used Task Manager to watch all the processes "by all users" while
> the event happened as the account was locked at 43 minutes past the hour,
> hoping to hit the PrintScreen button the moment it appears. It never
> appeared.
>
> I changed the Audit Polices to give more detailed information for security
> event logging: Default Domain Policy | Computer Configuration | Windows
> Settings | Security Settings | Local Policies | Audit Policies | set to
> check for Success and Failures on all nine of the items in this subset.
> But this did not prove any additional information that was useful.
>
> I am considering changing the password back to what it had been to see if
> the problem goes away, however since then we've implemented password
> complexity so now that password is not allowed. So I would have to turn
> off the password complexity again. And of course change that password
> everywhere else it is used. Phew.
>
> Please let me know if you know where else to look because at the moment I
> am out of ideas.
>
> Thanks!
> -Bob
>


Top

Re: Hourly event locking account? by just

just
Thu Mar 27 13:38:53 PDT 2008

Is that not what the event message below tells me?

Security: NT AUTHORITY\SYSTEM:
User Account Locked Out:
Target Account Name: MYDOMADM Target Account ID:
%{S-1-5-21-67914641-466965320-XXXXXXXX-XXXX}
Caller Machine Name: REMOTE1 Caller User Name: REMOTE1$ Caller Domain:
MYDOMAIN Caller Logon ID: (0x0,0x3E7)

In the example above the account getting locked is called "MYDOMADM". The
"Caller Machine Name" is REMOTE1, the DC getting the event message..
Normally when an account gets locked by a user trying a bad password too
many times I get this exact same message and the Target Account Name is the
user and the "Caller Machine Nname" is the machine they tried to login to.
Simarly, if they try to access a network resource on a server with a bad
password too many times and lock the account, this event mesage will still
show the users machine name, and not the machine they were trying to connect
to, IIRC.

I hope that makes sense but I wonder if I missed the point of your post.

Thanks,
-Bob

"Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
news:%23gjuAEEkIHA.4076@TK2MSFTNGP05.phx.gbl...
> What make you sure the process using the account is actually on the DC. It
> could be a scheduled event running elsewhere but authenticating to this
> controller. Check other machines in the same AD site.
>
> --
> Hope it helps!
>
> dw
>
> ----------------------------------------------
> Don Wilwol
> www.atthedatacenter.com
>
>
>
> "just bob" <kilbyfan@aoldotcom> wrote in message
> news:13unoge8t81850c@news.supernews.com...
>> Ever since we changed all passwords in our 2003 AD we've tracked down all
>> the dependant services except one.
>>
>> According to the event logs a specific Domain Admin account is locked,
>> every hour at the exact same minute and the source "Caller Machine Name"
>> is always the same Windows Server 2003 SP2 Domain Controller at a remote
>> location. The minute value on which this locked-account event repeats
>> will only change when we reboot the server. i.e., at the moment it's
>> happening every hour at 43 minutes past the hour, but before we did a
>> series of reboots trying to troubleshoot this the account would get
>> locked at every 18 minutes after the hour.
>>
>> This DC sits behind a Cisco PIX firewall/VPN device with the latest OS
>> and I've confirmed the only Internet connection allowed is outgoing UDP
>> port 53.
>>
>> This DC is an HP DL380 G3 will all the latest HP firmware and software
>> management updates as of last week and we are current on all Microsoft
>> "High Priority" updates.
>>
>> On this specific DC in Computer Management I looked at the Services by
>> sorting by Log On As and found all services are set to logon as Local
>> System or Network Service. None are configured for a specific AD account.
>> So I believe the problem is not here.
>>
>> I did a search of the registry for the AD account name and found numerous
>> entries but they were exclusively related to that account performing
>> Windows updates a few weeks ago. However the account password did change
>> since those updates were done, so that has me wondering if that has
>> anything to do with it.
>>
>> I even went so far as to delete the profiles and all folders I could find
>> that were created by that account. And I uninstalled many applications
>> which were unnecessary to the functions of this server, and even
>> uninstalled and reinstalled some of the apps we did need. Later I logged
>> on again as the account and let it create a new profile hoping the DC
>> would somehow recognize the new password. And of course rebooted numerous
>> times.
>>
>> I also used Task Manager to watch all the processes "by all users" while
>> the event happened as the account was locked at 43 minutes past the hour,
>> hoping to hit the PrintScreen button the moment it appears. It never
>> appeared.
>>
>> I changed the Audit Polices to give more detailed information for
>> security event logging: Default Domain Policy | Computer Configuration |
>> Windows Settings | Security Settings | Local Policies | Audit Policies |
>> set to check for Success and Failures on all nine of the items in this
>> subset. But this did not prove any additional information that was
>> useful.
>>
>> I am considering changing the password back to what it had been to see if
>> the problem goes away, however since then we've implemented password
>> complexity so now that password is not allowed. So I would have to turn
>> off the password complexity again. And of course change that password
>> everywhere else it is used. Phew.
>>
>> Please let me know if you know where else to look because at the moment I
>> am out of ideas.
>>
>> Thanks!
>> -Bob
>>
>
>


Top

Re: Hourly event locking account? by Don

Don
Thu Mar 27 14:00:14 PDT 2008

see if this helps
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


--
Hope it helps!

dw

----------------------------------------------
Don Wilwol
www.atthedatacenter.com



"just bob" <kilbyfan@aoldotcom> wrote in message
news:13uo1ets0vc3gcf@news.supernews.com...
> Is that not what the event message below tells me?
>
> Security: NT AUTHORITY\SYSTEM:
> User Account Locked Out:
> Target Account Name: MYDOMADM Target Account ID:
> %{S-1-5-21-67914641-466965320-XXXXXXXX-XXXX}
> Caller Machine Name: REMOTE1 Caller User Name: REMOTE1$ Caller Domain:
> MYDOMAIN Caller Logon ID: (0x0,0x3E7)
>
> In the example above the account getting locked is called "MYDOMADM". The
> "Caller Machine Name" is REMOTE1, the DC getting the event message..
> Normally when an account gets locked by a user trying a bad password too
> many times I get this exact same message and the Target Account Name is
> the user and the "Caller Machine Nname" is the machine they tried to login
> to. Simarly, if they try to access a network resource on a server with a
> bad password too many times and lock the account, this event mesage will
> still show the users machine name, and not the machine they were trying to
> connect to, IIRC.
>
> I hope that makes sense but I wonder if I missed the point of your post.
>
> Thanks,
> -Bob
>
> "Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
> news:%23gjuAEEkIHA.4076@TK2MSFTNGP05.phx.gbl...
>> What make you sure the process using the account is actually on the DC.
>> It could be a scheduled event running elsewhere but authenticating to
>> this controller. Check other machines in the same AD site.
>>
>> --
>> Hope it helps!
>>
>> dw
>>
>> ----------------------------------------------
>> Don Wilwol
>> www.atthedatacenter.com
>>
>>
>>
>> "just bob" <kilbyfan@aoldotcom> wrote in message
>> news:13unoge8t81850c@news.supernews.com...
>>> Ever since we changed all passwords in our 2003 AD we've tracked down
>>> all the dependant services except one.
>>>
>>> According to the event logs a specific Domain Admin account is locked,
>>> every hour at the exact same minute and the source "Caller Machine Name"
>>> is always the same Windows Server 2003 SP2 Domain Controller at a remote
>>> location. The minute value on which this locked-account event repeats
>>> will only change when we reboot the server. i.e., at the moment it's
>>> happening every hour at 43 minutes past the hour, but before we did a
>>> series of reboots trying to troubleshoot this the account would get
>>> locked at every 18 minutes after the hour.
>>>
>>> This DC sits behind a Cisco PIX firewall/VPN device with the latest OS
>>> and I've confirmed the only Internet connection allowed is outgoing UDP
>>> port 53.
>>>
>>> This DC is an HP DL380 G3 will all the latest HP firmware and software
>>> management updates as of last week and we are current on all Microsoft
>>> "High Priority" updates.
>>>
>>> On this specific DC in Computer Management I looked at the Services by
>>> sorting by Log On As and found all services are set to logon as Local
>>> System or Network Service. None are configured for a specific AD
>>> account. So I believe the problem is not here.
>>>
>>> I did a search of the registry for the AD account name and found
>>> numerous entries but they were exclusively related to that account
>>> performing Windows updates a few weeks ago. However the account password
>>> did change since those updates were done, so that has me wondering if
>>> that has anything to do with it.
>>>
>>> I even went so far as to delete the profiles and all folders I could
>>> find that were created by that account. And I uninstalled many
>>> applications which were unnecessary to the functions of this server, and
>>> even uninstalled and reinstalled some of the apps we did need. Later I
>>> logged on again as the account and let it create a new profile hoping
>>> the DC would somehow recognize the new password. And of course rebooted
>>> numerous times.
>>>
>>> I also used Task Manager to watch all the processes "by all users" while
>>> the event happened as the account was locked at 43 minutes past the
>>> hour, hoping to hit the PrintScreen button the moment it appears. It
>>> never appeared.
>>>
>>> I changed the Audit Polices to give more detailed information for
>>> security event logging: Default Domain Policy | Computer Configuration |
>>> Windows Settings | Security Settings | Local Policies | Audit Policies |
>>> set to check for Success and Failures on all nine of the items in this
>>> subset. But this did not prove any additional information that was
>>> useful.
>>>
>>> I am considering changing the password back to what it had been to see
>>> if the problem goes away, however since then we've implemented password
>>> complexity so now that password is not allowed. So I would have to turn
>>> off the password complexity again. And of course change that password
>>> everywhere else it is used. Phew.
>>>
>>> Please let me know if you know where else to look because at the moment
>>> I am out of ideas.
>>>
>>> Thanks!
>>> -Bob
>>>
>>
>>
>
>


Top

Re: Hourly event locking account? by just

just
Thu Mar 27 21:00:09 PDT 2008

For whatever reason that adlockout.dll tool made my Ops Master go crazy with
services crashing. I had to remove it from the registry and reboot and now
everything is fine. I did however install it on the remote DC and waited for
the lockout to occur, which it did, however there was no reference to the
account in the lockout debug file. I'm lost! But tomorrow I will try to read
some more about the tools available.

-Bob

"Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
news:%23v5fS2EkIHA.3460@TK2MSFTNGP02.phx.gbl...
> see if this helps
> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>
>
> --
> Hope it helps!
>
> dw
>
> ----------------------------------------------
> Don Wilwol
> www.atthedatacenter.com
>
>
>
> "just bob" <kilbyfan@aoldotcom> wrote in message
> news:13uo1ets0vc3gcf@news.supernews.com...
>> Is that not what the event message below tells me?
>>
>> Security: NT AUTHORITY\SYSTEM:
>> User Account Locked Out:
>> Target Account Name: MYDOMADM Target Account ID:
>> %{S-1-5-21-67914641-466965320-XXXXXXXX-XXXX}
>> Caller Machine Name: REMOTE1 Caller User Name: REMOTE1$ Caller Domain:
>> MYDOMAIN Caller Logon ID: (0x0,0x3E7)
>>
>> In the example above the account getting locked is called "MYDOMADM".
>> The "Caller Machine Name" is REMOTE1, the DC getting the event message..
>> Normally when an account gets locked by a user trying a bad password too
>> many times I get this exact same message and the Target Account Name is
>> the user and the "Caller Machine Nname" is the machine they tried to
>> login to. Simarly, if they try to access a network resource on a server
>> with a bad password too many times and lock the account, this event
>> mesage will still show the users machine name, and not the machine they
>> were trying to connect to, IIRC.
>>
>> I hope that makes sense but I wonder if I missed the point of your post.
>>
>> Thanks,
>> -Bob
>>
>> "Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
>> news:%23gjuAEEkIHA.4076@TK2MSFTNGP05.phx.gbl...
>>> What make you sure the process using the account is actually on the DC.
>>> It could be a scheduled event running elsewhere but authenticating to
>>> this controller. Check other machines in the same AD site.
>>>
>>> --
>>> Hope it helps!
>>>
>>> dw
>>>
>>> ----------------------------------------------
>>> Don Wilwol
>>> www.atthedatacenter.com
>>>
>>>
>>>
>>> "just bob" <kilbyfan@aoldotcom> wrote in message
>>> news:13unoge8t81850c@news.supernews.com...
>>>> Ever since we changed all passwords in our 2003 AD we've tracked down
>>>> all the dependant services except one.
>>>>
>>>> According to the event logs a specific Domain Admin account is locked,
>>>> every hour at the exact same minute and the source "Caller Machine
>>>> Name" is always the same Windows Server 2003 SP2 Domain Controller at a
>>>> remote location. The minute value on which this locked-account event
>>>> repeats will only change when we reboot the server. i.e., at the moment
>>>> it's happening every hour at 43 minutes past the hour, but before we
>>>> did a series of reboots trying to troubleshoot this the account would
>>>> get locked at every 18 minutes after the hour.
>>>>
>>>> This DC sits behind a Cisco PIX firewall/VPN device with the latest OS
>>>> and I've confirmed the only Internet connection allowed is outgoing UDP
>>>> port 53.
>>>>
>>>> This DC is an HP DL380 G3 will all the latest HP firmware and software
>>>> management updates as of last week and we are current on all Microsoft
>>>> "High Priority" updates.
>>>>
>>>> On this specific DC in Computer Management I looked at the Services by
>>>> sorting by Log On As and found all services are set to logon as Local
>>>> System or Network Service. None are configured for a specific AD
>>>> account. So I believe the problem is not here.
>>>>
>>>> I did a search of the registry for the AD account name and found
>>>> numerous entries but they were exclusively related to that account
>>>> performing Windows updates a few weeks ago. However the account
>>>> password did change since those updates were done, so that has me
>>>> wondering if that has anything to do with it.
>>>>
>>>> I even went so far as to delete the profiles and all folders I could
>>>> find that were created by that account. And I uninstalled many
>>>> applications which were unnecessary to the functions of this server,
>>>> and even uninstalled and reinstalled some of the apps we did need.
>>>> Later I logged on again as the account and let it create a new profile
>>>> hoping the DC would somehow recognize the new password. And of course
>>>> rebooted numerous times.
>>>>
>>>> I also used Task Manager to watch all the processes "by all users"
>>>> while the event happened as the account was locked at 43 minutes past
>>>> the hour, hoping to hit the PrintScreen button the moment it appears.
>>>> It never appeared.
>>>>
>>>> I changed the Audit Polices to give more detailed information for
>>>> security event logging: Default Domain Policy | Computer Configuration
>>>> | Windows Settings | Security Settings | Local Policies | Audit
>>>> Policies | set to check for Success and Failures on all nine of the
>>>> items in this subset. But this did not prove any additional information
>>>> that was useful.
>>>>
>>>> I am considering changing the password back to what it had been to see
>>>> if the problem goes away, however since then we've implemented password
>>>> complexity so now that password is not allowed. So I would have to turn
>>>> off the password complexity again. And of course change that password
>>>> everywhere else it is used. Phew.
>>>>
>>>> Please let me know if you know where else to look because at the moment
>>>> I am out of ideas.
>>>>
>>>> Thanks!
>>>> -Bob
>>>>
>>>
>>>
>>
>>
>
>


Top