Jump to content


Photo

Domain Controller Locking Admin account


  • Please log in to reply
3 replies to this topic

#1 OffandOnAgain

OffandOnAgain

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 05 March 2018 - 09:15 PM

Been working with this issue for over a Month now, finally decided to reach out on forums..

 

I first noticed the issue when using Netwrix Auditor. I started seeing an account lockout every hour on the Domain\Administrator account. From the Domain Controller server itself. Constant lockouts.

 

I decided to download Netwrix Lockout Examiner to see if I could see what was causing it.

All I can see is basic: from:DC\Domain.com at Date and time. (attached Image)

 

I tried some googling and some event log digging, and all I could find was info that looks like this:

 

User name, Client IP, Kerberos pre-auth failed, error code 0x18. Nothing that is helping me.

 

Every hour at 10 til, it fails to login to the account roughly 40 times within 8 seconds. (This does not lock the account). I tested this one by unlocking it just before the 10 til the hour mark.
 
Every 1-4 minutes sporadically something else is trying to login, which is continuously locking the account out.
 
I've also already dug through scheduled tasks, and services to try to find what might be using the credentials but to no avail.
 
IS there a way... that some kind of auditing service or logs can tell me exactly what service or program is failing to login and causing these failures and lockouts? currently none of the software I've tried can tell me that information... only that it is in fact happening. 

Attached Files

  • Attached File  Lock.png   25.41KB   0 downloads


#2 OffandOnAgain

OffandOnAgain

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 05 March 2018 - 09:55 PM

Added Info:

Sometimes I do get the expand box on the invalid logins, but it tells me in order to view detailed information to enable Failure Audit logon policy on the target workstation, which it 100% is enabled.

 

I updated this in my GPO Default domain policy. which is my DC. Windows server 2008r2.

 

Thanks in advance.



#3 OffandOnAgain

OffandOnAgain

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 06 March 2018 - 02:47 PM

Update:

I finally fixed the error saying to enable the audit policy. Now that I have there are no longer any details or expand boxes to show me details. :(

 

 

https://ibb.co/mNh2cn



#4 AndreyK

AndreyK

    Member

  • Members
  • PipPip
  • 15 posts

Posted 13 March 2018 - 11:03 AM

Hello,

 

If Netwrix Auditor is showing the DC itself in the Workstation field this doesn't necessarily mean that failed logons happened on that DC. It might show the DC if it was unable to determine the workstation.

The client IP from the events 4771 that you mentioned in your original post - is it the DC itself? If not it might be the workstation from which the logon attempts come. Then you could go to that workstation and check events 4625.

You might also want to check NTLM logs and NetLogon logs: http://tritoneco.com...tlogon-logging/

 

Let me know if you get any additional info.

 

AndreyK






0 user(s) are reading this topic

0 members, guests, anonymous users