Domain Administrator Lockout

[MC]

Hi,
I see in system even log SAM database error messages saying that Account
Can't be locked, due to resource error
Event ID:12294, and that account is domain\administrator

That means something or someone is trying to logon to domain as
administrator but failing. (also can't lock the account, because I
disabled). How I find from what IP or workstation these attempt being made?
Event log doesn't mention
Thanks
MC

 

[Danny Sanders]

Are you sure you don't have a service on that computer running under the
administrator account with an old admin password?

Check the services that are set to start up automatically. Look for one that
is not started and see what account it is using.


hth
DDS

 

[MC]

No, service is running as Administrator account.
Besides, it only happens 1 or 2 times a week.
When I look at Security Log, I see at least 100 attempt within 1-2minute
period.
MC

 

[Jorge de Almeida Pinto [MVP - DS]]

use NETLOGON debug logging

Enabling debug logging for the Net Logon service
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
DBFlag = 0x2080FFFF (in: %windir%\debug\netlogon.log)


google for NETLOGON debug logging and you will find more info

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Andrew.Ogden]

Did you ever find a solution to this issue?

I have been experiencing the same thing since changing our domain admin
password.

Enabling the logging only shows me that the failed login attempts originate
from the DC logging the errors. I have been through my services ten times to
ensure none are left with the old password.