Windows 2000 Local Administrator Locked Up

  • Thread starter Thread starter Philip
  • Start date Start date
P

Philip

Hi, we have some Windows 2000 servers which were upgraded
from Windows NT 4.0. Ever since we have not used the local
administrator account. But recently we noticed that the
local administrator of most of the Windows 2000 servers
were locked up. But understand that local Administrator
cannot be locked up.. is it a bug in the OS??

Thanks.
 
That is interesting. Make sure that these are not true administrator
accounts as some will rename that account and create a decoy adminstrator
account that is a normal account that can be locked out - use "net use
administrator" to see actual group membership on that computer. Also if
passprop was implemented in the past, it is possible for an administrator
account to be locked out for network type three logon but not
interactive/console logon. --- Steve

http://www.jsiinc.com/SUBE/tip2000/rh2077.htm --- description of passprop
 
Hi Steven, none of the server used Passprop previously. I have unlocked the Administrator yesterday and test it out at the server end, it did not get lockup after 10 tries. But when I check again today, it get locked up again...


----- Steven L Umbach wrote: -----

That is interesting. Make sure that these are not true administrator
accounts as some will rename that account and create a decoy adminstrator
account that is a normal account that can be locked out - use "net use
administrator" to see actual group membership on that computer. Also if
passprop was implemented in the past, it is possible for an administrator
account to be locked out for network type three logon but not
interactive/console logon. --- Steve

http://www.jsiinc.com/SUBE/tip2000/rh2077.htm --- description of passprop
 
Hmm. Try enabling auditing for account logon and logon events on a couple of those
servers to see if you can determine what is causing the lockouts though that doesn't
explain why the built in administrator account is being locked out. I would suggest
running PsGetSid on one of those computers to verify that the account being locked
out is the built in administrators account by using "psgetsid administrator" to see
if the last three numbers are -500 which only the built in administrator account
would have. The last link is helpful in tracking down lockouts which could indicate
hacking attempts. --- Steve

http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml --- PsGetSid.
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549 --- W2K auditing.
http://is-it-true.org/nt/atips/atips155.shtml
http://www.microsoft.com/technet/tr...ndowsserver2003/maintain/operate/BPACTLCK.asp


Philip said:
Hi Steven, none of the server used Passprop previously. I have unlocked the
Click to expand...
Administrator yesterday and test it out at the server end, it did not get lockup
after 10 tries. But when I check again today, it get locked up again...
 
Back
Top