none
Primary Admin account in AD locked out RRS feed

  • Question

  • Hi,

    The primary admin account (account used to create this forest) on the domain contoller is showing locked out. We have admin tools installed on a different computer and we can just see the account is locked out. The password policy is configured for 5 attempts. Is it possible that the primary Admin account also be locked out ...as per my understanding it will be locked out and will be unlocked the moment we enter correct password.

    Regards

    Saurabh

    Sunday, December 7, 2014 4:07 AM

Answers

  • "The builtin Admin (SID -500) cannot be locked out"...but why does it shows under ADUC as locked out..
    Martin is correct. There is a point in his statement. I think the point is, when you login using wrong credentials for Builtin account, it is locked actually and shows locked in ADUC, but the moment you enter the correct password it is unlocked automatically as you already mentioned by yourself. So logically it is not locked. :)

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Thursday, December 11, 2014 5:15 AM
    Moderator
  • The built-in Administrator account cannot be locked out no matter how many failed logons it accrues. it's reflected here: http://technet.microsoft.com/en-us/library/jj852165(v=ws.10).aspx


    --- Jeff (Netwrix)

    • Proposed as answer by SenneVL Thursday, December 11, 2014 8:53 AM
    • Marked as answer by Mahdi TehraniModerator Saturday, December 20, 2014 7:43 AM
    Thursday, December 11, 2014 8:00 AM

All replies


  • Is it possible that the primary Admin account also be locked out ...as per my understanding it will be locked out and will be unlocked the moment we enter correct password.

    Greetings!

    I dd not understand what do you mean exactly in that bold phrase, but if you mean when a user gets locked out, automatically gets unlocked after you type the correct password the answer AFAIK is No. In that case what is the use of account lockout? 

    Either you have to unlock the user manually or wait until the lockout duration finishes depending on your settings. 

    For tracking user lockout problems you can refer to this blog:

    Regards.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Sunday, December 7, 2014 5:02 AM
    Moderator
  • We have 5 domain admin accounts and a default Admin account (the account which is default and used to build this forest.)

    - For the 5 domain admin accounts when we hit 5 invalid passwords it gets locked. I try using correct password it still does not allow me unless i manully unlock the account and then login.

    - For default admin account . The account is locked out with incorrect attempts. However, the moment when i login with correct password it lets me login . I dont have to manually unlock it...

    Hope this clears the confusion

    Sunday, December 7, 2014 10:44 AM
  • -->   For the 5 domain admin accounts when we hit 5 invalid passwords it gets locked. I try using correct password it still does not allow me unless i manully unlock the account and then login.

       

    It is normal behavior.

    -->   For default admin account . The account is locked out with incorrect attempts. However, the moment when i login with correct password it lets me login . I dont have to manually unlock it...

        

    Either it has specific PSO with less than 1 second lockout duration applied to it or someone is unlocking it.

     


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.





    Sunday, December 7, 2014 4:21 PM
    Moderator
  • There is no one who is unlocking the account.It seems to be normal behaviour...

    I was going through this article any more insight for this..

    http://jorgequestforknowledge.wordpress.com/2006/10/05/the-default-domain-administrator-account-is-locked-2/

    Monday, December 8, 2014 2:44 AM
  • In my lab I was unable to test it and it was not working. Will update you in an hour when I test this in a more complex lab at work. 

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Monday, December 8, 2014 3:20 AM
    Moderator
  • Update: It was unlocked automatically in my second lab. However it seems wrong credentials when you add network mapped drive does not fall into this category, but only wrong credentials at logon. I believe it should be a VM bug or something because it is unusual for a DC to differ between a wrong credential when you add a network mapped drive and a wrong credentials when you logon, because in both cases the badpasswordcount is updated.

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Monday, December 8, 2014 4:23 AM
    Moderator
  • the machine at my end is not VM......have you gone through the link which i posted earlier...it says its normal behaviour...i am looking for the answer ...the point is how an locked account is unlocked automatically when correct credentials are provided.

    http://jorgequestforknowledge.wordpress.com/2006/10/05/the-default-domain-administrator-account-is-locked-2/

    Monday, December 8, 2014 10:05 AM
  • I was unable to find an official statement by Microsoft proving that this is the normal behavior, but there are other links indicating that behavior. For example:

    It seems that it is automatically unlocked after the first type you enter the correct password, but the point is, what is the use of being locked out?

    According to the Jorge and other MVP's and experts, yes it seems to be the default behavior, I will carry on my research about it though and will update it as soon as I find an official statement.

    Regards.

     

     

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Monday, December 8, 2014 11:37 AM
    Moderator
  • > password policy is configured for 5 attempts. Is it possible that the
    > primary Admin account also be locked out ...as per my understanding it
    > will be locked out and will be unlocked the moment we enter correct
    > password.
     
    The builtin Admin (SID -500) cannot be locked out.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, December 8, 2014 5:02 PM
  • Thanks !

    Taking a deep dive...the account still shows as locked out when i search it by ADUC. However, in actual terms is it locked or not ....how come without unlocking it we can login.

    Any insight technical updates appriciated !

    Also for builtin Admin (SID -500) can not be locked please provide refernce links to take deep dive.

    Tuesday, December 9, 2014 10:31 AM
  • awaiting information

    Thursday, December 11, 2014 4:57 AM
  • "The builtin Admin (SID -500) cannot be locked out"...but why does it shows under ADUC as locked out..
    Thursday, December 11, 2014 4:59 AM
  • "The builtin Admin (SID -500) cannot be locked out"...but why does it shows under ADUC as locked out..
    Martin is correct. There is a point in his statement. I think the point is, when you login using wrong credentials for Builtin account, it is locked actually and shows locked in ADUC, but the moment you enter the correct password it is unlocked automatically as you already mentioned by yourself. So logically it is not locked. :)

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Thursday, December 11, 2014 5:15 AM
    Moderator
  • Thanks ! so if it is not locked why does it refelct as Unlocked in ADUC...

    Can you please share some more information why The builtin Admin (SID -500) cannot be locked out and is it the behaviour with Win 2K3 and Win2k 12 as well.

    Thursday, December 11, 2014 6:56 AM
  • The built-in Administrator account cannot be locked out no matter how many failed logons it accrues. it's reflected here: http://technet.microsoft.com/en-us/library/jj852165(v=ws.10).aspx


    --- Jeff (Netwrix)

    • Proposed as answer by SenneVL Thursday, December 11, 2014 8:53 AM
    • Marked as answer by Mahdi TehraniModerator Saturday, December 20, 2014 7:43 AM
    Thursday, December 11, 2014 8:00 AM
  • Thank you for the reply !

    I am failing to understand the behaviour of ADUC ...is this default behaviour that it shows locked out as per the password policy . However, backend the account is not locked out...

    Thursday, December 11, 2014 10:16 AM
  • hi...any further information ......
    Tuesday, December 16, 2014 4:47 AM
  • hi...any further information ......

    Read the whole thread again. It has been answered completely.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Wednesday, December 17, 2014 7:48 AM
    Moderator