none
Local Admin locking Domain Admin

    Question

  • I changed the Domain Admin's account password a while back. No services or apps are using the Domain Admin account. I am having a weird issue with this account though. If I login to a server using the local admin account, the domain admin account gets locked. If I am for example, logged into a PC or server with my user account and remote desktop into a server using the local admin (localhost\administrator), the domain admin (company\administrator) gets locked.

    The local admin and domain admin both have had different passwords before and after the domain admin pwd was changed.

    Here's an example:

    A user account was locked out.

    Subject:
        Security ID:        SYSTEM
        Account Name:        DC01$
        Account Domain:        COMPANYDOMAIN
        Logon ID:        0x3e7

    Account That Was Locked Out:
        Security ID:        COMPANYDOMAIN\Administrator
        Account Name:        Administrator

    Additional Information:
        Caller Computer Name:    FILE01

    Monday, December 5, 2016 9:28 PM

All replies

  • Hi
     First these are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    Otherwise you should configure advanced audit policy to find the lockout source;

    https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, December 6, 2016 6:51 AM
  • Please check below article too which summarizes few common root-cause of account lockout issue and how to resolve them - https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/
    Tuesday, December 6, 2016 7:18 AM
  • Hi,

    We could enable some audit settings and query corresponding Event logs to troubleshoot the account lockout issue.

    First, please make sure you have enabled all the audits at the domain level.

    Audit account logon events

    https://technet.microsoft.com/en-us/library/cc976367.aspx

    Audit logon events

    https://technet.microsoft.com/en-us/library/cc976395.aspx

    Then enable below settings:

    1. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Account Management

    Configure: Audit User Account Management Success and Failure

    2. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff

    Configure: Audit Account Lockout to audit Success and Failure

    When an account is locked out, a 4740 event is logged in the Security log on the PDC of your domain. Every account lockout is recorded there in the security event log. The PDC emulator is a central place that can be queried for all account lockout events. Before looking for an event ID of 4740, we need to find the domain controller that holds the PDC emulator role. One way to do this is by using the Get-AdDomain cmdlet.

    Then you could query the security event log for event ID 4740.

    More articles for your reference:

    Active Directory: Troubleshooting Frequent Account lockout

    http://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 6, 2016 8:45 AM
    Moderator
  • All map drives run under the logon user's credentials. No logon scripts, no runas shortcuts, or services running using the admin account. There's nothing in our environment that uses or should use the domain admin account.

    I was able to replicate the issue by adding a domain user to a share logged on as local admin. For example, I log in as server1\administrator, go to a share to add a domain user. When I do this I get asked to sign in with a domain account which I do (using my own), and add the user.

    It seems that before I get asked to enter my credentials, it tries to access the Domain Controller using the current admin account and locks the domain admin. I've never seen this happen. It all started after the domain admin password was changed. Both local and domain admin have had different passwords, always.

    This is from another forum: "do you use the same user names for the local and for the domain administrator account in this case, but with different password? (i.e. logged in locally with account workstation\administrator - which is not a good idea to do and having a domain account administrator with different password)

    If you start to create a domain user account from the local machine, it attempts to log on the current credentials, but will fail to do so due to the different password (as will fail each access to a domain resource). This would lead to the logout in context with the threshold."

    Side note. I ran wireshark during this process and did see the local admin trying to authenticate to the domain and getting an error of, "nca_s_fault_access_denied"

    Wednesday, December 7, 2016 9:36 PM
  • Hi,

    You manually added a domain user to a share on the workstation using the Domain Admin credentials. By default those credentials will be saved in the user profile. If the Domain Admin account has had the password changed since then, the "reconnect at logon" is causing your issue.

    Open a command prompt and use net use * /del to disconnect any connections to your network resources.

    Besides, I would suggest you to have different names for local and domain administrators.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 8, 2016 7:47 AM
    Moderator
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 12, 2016 1:29 PM
    Moderator
  • I simply stopped using the local admin account and so far all is good.

    Thank you for all your help.

    • Edited by alexltk0506 Monday, December 12, 2016 4:27 PM
    • Proposed as answer by AlvwanModerator Tuesday, December 13, 2016 2:48 AM
    Monday, December 12, 2016 4:27 PM
  • Hi,

    Thanks for sharing your current progress.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 13, 2016 2:48 AM
    Moderator