none
Server is hitting the AD with an user account RRS feed

  • Question

  • Hi Guys,

    I'm facing a strange issue, one of my server (windows server 2008 std R2) is hitting the active directory with a domain account and due to that domain user account is getting locked out very frequently, say in a minute its gets locked out (we've policy to lock out the account after 5 wrong pw try). I got this info from event security log number 4740 on the DC, it simple shows account that was locket out and the caller computer is that server. The server has SQL server 2008 installed, I already checked all the services and make sure if any SQL instance is using that account to authenticate but that user account is not configured anywhere. Just to make sure I shutdown the server for 15 minutes and user account didn't locked out for 15 minutes, I have downloaded a 'lockoutstatus' tool from Microsoft to check the lock out status of the account. I already deleted the user profile from 'My computer properties - advance tab as earlier user was using this account to login on the server but its been months we given another account to him and since then he stopped using this account on the server. I tried to reset the PW and disabled the account for couple of hours to see if server stop trying to hit the AD but nothing worked. My AD is running on the windows server 2008 std R2.

    Please help what could be the solution for this issue? How do I identify who is using that account on the server?

    Sunday, May 1, 2016 11:18 AM

Answers

  • It may be hard to identify the exact component which is querying using your user account. The first place to look in would be the scheduled tasks and the running services. If this does not help, you can start stopping the services until you figure out which one is problematic.

    In general, you may not to have a lockout policy for a service account. The reason is that, causing a denial of service by someone, would be easy to do and he just needs to do few logon failures. Also, you may want considering renaming your account logins in case you are still unable the cause of the logon failures.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, May 1, 2016 8:43 PM

All replies

  • It may be hard to identify the exact component which is querying using your user account. The first place to look in would be the scheduled tasks and the running services. If this does not help, you can start stopping the services until you figure out which one is problematic.

    In general, you may not to have a lockout policy for a service account. The reason is that, causing a denial of service by someone, would be easy to do and he just needs to do few logon failures. Also, you may want considering renaming your account logins in case you are still unable the cause of the logon failures.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, May 1, 2016 8:43 PM
  • Hi Vinig,

    Hi Guys, I'm facing a strange issue, one of my server (windows server 2008 std R2) is hitting the active directory with a domain account and due to that domain user account is getting locked out very frequently, say in a minute its gets locked out (we've policy to lock out the account after 5 wrong pw try). I got this info from event security log number 4740 on the DC, it simple shows account that was locket out and the caller computer is that server. The server has SQL server 2008 installed, I already checked all the services and make sure if any SQL instance is using that account to authenticate but that user account is not configured anywhere. Just to make sure I shutdown the server for 15 minutes and user account didn't locked out for 15 minutes, I have downloaded a 'lockoutstatus' tool from Microsoft to check the lock out status of the account. I already deleted the user profile from 'My computer properties - advance tab as earlier user was using this account to login on the server but its been months we given another account to him and since then he stopped using this account on the server. I tried to reset the PW and disabled the account for couple of hours to see if server stop trying to hit the AD but nothing worked. My AD is running on the windows server 2008 std R2. Please help what could be the solution for this issue? How do I identify who is using that account on the server?

    Agree with Mr X.

    In addition, please check if you have installed some 3rd software or applications that have used this account.

    Besides, I have search a lot and didn't find out there is a better way to keep track of who is using the specific account.

    We could monitor the account logon time but may not monitor who is login the server and in which place login, except this specific account is belongs to someone. 

    Best regards,


    Andy_Pan

    Monday, May 2, 2016 9:20 AM
    Moderator