1-949-407-5125
Been working with this issue for over a Month now, finally decided to reach out on forums..
I first noticed the issue when using Netwrix Auditor. I started seeing an account lockout every hour on the Domain\Administrator account. From the Domain Controller server itself. Constant lockouts.
I decided to download Netwrix Lockout Examiner to see if I could see what was causing it.
All I can see is basic: from:DC\Domain.com at Date and time. (attached Image)
I tried some googling and some event log digging, and all I could find was info that looks like this:
User name, Client IP, Kerberos pre-auth failed, error code 0x18. Nothing that is helping me.
Every hour at 10 til, it fails to login to the account roughly 40 times within 8 seconds. (This does not lock the account). I tested this one by unlocking it just before the 10 til the hour mark.
Every 1-4 minutes sporadically something else is trying to login, which is continuously locking the account out.
I've also already dug through scheduled tasks, and services to try to find what might be using the credentials but to no avail.
IS there a way... that some kind of auditing service or logs can tell me exactly what service or program is failing to login and causing these failures and lockouts? currently none of the software I've tried can tell me that information... only that it is in fact happening.
Attached Files
-
Lock.png 25.41KB
0 downloads
