Built-in Domain Administrator Account Repeated Locks

Similar Messages

• Domain Administrator account being locked up by PDC

  Hi everyone,
  My PDC is locking up my domain administrator (administrateur in french) account.
  System event logs :
  The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
  consider resetting the password of the account mentioned above.
  Level : Error
  Source : Directory-Services-SAM
  Event ID : 12294
  Computer : Contoso-PDC
  User : System
  There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
  I tried to change the name of the domain administrator account from "administrateur" to "administrator".
  Now there is "Audit failure" events poping up in the security event logs.
  Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
  Here is the detail log :
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: Administrateur
  Account Domain: CONTOSO
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: CONTOSO-PDC
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  On the PDC i checked :
  Services : None of them are started with the "administrateur" account
  Network Share : There is no network share ...
  Task Scheduler : None of the tasks are launch with the "administrateur" account.
  And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
  Any ideas?
  ps : Sorry for the probable english mistakes :(

  Hi,
  Thanks for you answers.
  San4wish :
  Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
  About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
  fixed this vulnerabilty.
  So i doubt its a conficker type worm.
  Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs.

• Built in domain administrator... locked out?

  PART-1
  Today our built in domain administrator got locked out. From what I've read this is not possible. We were alerted on it and when I opened the object it said it was locked out. (I'll admit, I didn't try logging in with it). I double checked and the objects
  SID does indeed end in -500 which is indicative of it being the built in account.  
  I ran this query:
  $BA=(get-addomain).domainsid
  $BA.tostring() + "-500"
  and the only result I got back was the SID that matched the user in question.
  What's going on? Was it truly locked out? I guess we will run a test tomorrow but I wanted to reach out to the forums too.
  PART-2
  Once this account was locked out we went to the source server and found that it was no longer on the domain. Instead it was in a workgroup that had a name that resembled our domain. I checked the event log and there were a ton of errors with event ID 4097
  that said "The machine [machine-name] attempted to join the domain [FQ-domain-name]\[FQDN-of-PDC] but failed. The error code was 1326". These errors correspond with the time that the account was locked out. There were a ton of them...
  The account that was originally used to join this machine to the domain was the built in admin above (I know, not best practice). Regardless, why would it switch from domain to a workgroup? Why would it attempt to auto re-join? And why would it use the account
  originally used to join the domain? 

  I have found my answers...
  Part 1:
  The built-in administrator will get locked out and marked as locked out - however, when you go to log in with it, it will AUTOMATICALLY unlock the account. So essentially it cannot be locked out but it will give off the impression that it is.
  you can however disable the account. .... supposedly if you ever have to recover your domain in restore mode it will enable the account for you... .never had an opportunity to test that and I hope I don't
  Part 2:
  This is a vmware related issue. The machine tried to re-run custom specs. Please see the following vmware article if you are having the same issue.
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2078352
  This is related to deploying machines with custom specs in 5.1 with hosts on build 1743533 (ESXi 5.1 patch 4)

• Built-in domain Administrator account not given full access to new Exchange 2013 server

  I migrated from Exchange 2010 to 2013 over the weekend.  I cannot log into the EAC with my domain administrator account I use to log into all my other servers.  I also cannot run the clean-mailboxdatabase cmdlet logged in as this user.  I
  had no trouble moving mailboxes from the old server to the new server with this account though.
  This account is a member of: Domain Admins, Enterprise Admins, Exchange Full Admin, Exchange Organization Admin, Organization Management, Schema Admins, Server Management.
  I can log into the EAC with another admin account that has the same memberships as the Administrator account.
  I tried giving the account the role of "Databases" as suggested by others to fix the clean-mailboxdatabase issue but that did not work for me either.
  The Administrator mailbox has been moved to the new database on the Exchange 2013 server.  The Exchange 2010 has been decommissioned and is turned off.

  Hi,
  Based on my research, to retrieves the mailbox statistics for the disconnected mailboxes for all mailbox databases in the organization, we can try the following command:
  Get-MailboxDatabase | Get-MailboxStatistics -Filter 'DisconnectDate -ne $null'
  http://technet.microsoft.com/en-us/library/bb124612(v=exchg.150).aspx
  Additionally, The Identity parameter specifies the disconnected mailbox in the Exchange database and it can be display name instead of mailbox GUID.
  http://technet.microsoft.com/en-us/library/jj863439(v=exchg.150).aspx
  Hope it can help you.
  Thanks,
  Angela Shi
  TechNet Community Support

• Cannot connect Workgroup Manager using a domain administrator account

  Hello,
  I'm trying to determine if this is normal behavior or something is not working right:
  When using Workgroup Manager (remotely or locally on the server) it will only let me connect with the local (Netinfo) administrator account that was created upon install of the server. It will NOT let me log in with the diradmin account that was created when promoting the server to an OD master (or any other accounts I created (under the LDAP directory) and checked User can "administer the server" and "administer this directory domain").
  Once connected to WGM with the local admin account I then can (and still need to) authenticate to the directory database using the diradmin account (which works). Is this normal behavior?
  From reading Apple's User Management documentation it seems to indicate that once a domain administrator account is set up you can use that account to log into WGM.
  Thanks in advance.
  - Brian
  Mac OS X (10.4.6)

  OK, it looks as though I've figured this out. Using the Directory Access utility on the server itself, I needed to add the "LDAPv3/127.0.0.1" directory domain to the list of domains to search for authentication.

• Server restrict from domain administrator account

  I have a server 192.168.1.XXX which is added in AD domain but I would like to restrict this server from domain administrator account.
  192.168.1.XXX server will be access by local account only.
  Please help..

  I have a server 192.168.1.XXX which is added in AD domain but I would like to restrict this server from domain administrator account.
  192.168.1.XXX server will be access by local account only.
  Please help..
  You received some great suggestions and info. Curious, why would you want to remove the domain admin account from accessing the server?
  Maybe a stand alone server may be a better solution? You can still access domain resources from a stand alone using specific domain accounts, but the machine won't be joined to the domain preventing the domain admin account from accessing it.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Msiexec /qn fails when its not run using the built-in local administrator account

  Hello all,
  I am working on a project where I am trying to automate the deployment of VMs through a self-service portal.
  Among other tasks such as clone VM, sysprep it, assign an IP, create AD computer object, join VM to domain and so on..., i need to install a few applications using msiexec, which is driving me crazy...
  For this purpose, I am using a local user account part of the administrators group.
  Please note, UAC is disabled on all the OS.
  Basically, the msi installation works as expected on Windows 7 machines, however on Windows 8/2012, it fails due to lack of permissions. The curious thing is that if I use the built-in\administrator account instead for the deployment on those systems, the
  application is installed correctly.
  I have tested some things such as: DisableMSI (http://msdn.microsoft.com/en-us/library/aa368304%28v=vs.85%29.aspx), but although it progresses a bit further, it keeps failing.
  Does anyone know what I can do to allow an user part of the administrators local group to be able to install using msiexec /qn?
  Thanks in advance.

  Hi,
  Does it work if you use the account in local admin, and run the commands prompt as administrator to install the msi file? Please know that Only the built in administrator account has admin privilege by default. On other admin accounts you need
  to run with elevated privilege (ie runas).
  I would like to know if you use SCCM to perform your deployment with task sequence.
  As I known, even if you disable UAC, the following policy is still enabled to detect application installation.
  Computer configuration\Windows settings\Security Settings\Local
  Policies\Security Options -> User Account Control: Detect application installations and prompt for elevation policy
  Please disable this policy to see if your issue can be fixed. 
  Kate Li
  TechNet Community Support

• Old domain was removed and Unable to login as domain administrator account in windows 7 laptop

  I have a problem with a laptop which is in old domain, due to some issue I need to uninstall some of the programs on that machine for
  that it is asking administrator password, so when I was entering old domain’s administrator account password it is not logging in, and there is no other local administrator account configured on that machine, how to log in into that machine and join that to
  the new domain.
  I am trying to log in as <domain-name>\administrator 

  Hi,
  Logon to a domain with domain account is an interactive process, which needs cooperation of both DC and DNS. Since the old domain is delete, then, log in as <domain-name>\administrator to the old domain will failed.
  Open CMD, type “net user”, and press Enter to display user account of this computer. Check to see if any account which has administrator permission you can remember.
  Besides, type “net user administrator”, if the Account Active is YES, try to use this built-in administrator account to logon:
  Press Alt + Ctrl + Delete, select Switch User -> Other User, type <computer name>\administrator. (there may be no password if you haven’t set this)
  If there is no administrator permission account which you can use to logon, reinstall the system should be needed.
  Best Regards,           
  Eve Wang                                                                                                                                                  

• ABAP+JAVA System Copy -- Administrator account getting locked

  Hi,
  I am in the process of doing system copy of my portal to a new server. As per the SAP instructions, I had updated the JDK and SP levels of my EP to the latest supported ones.
  Now when i am doing JAVA Add-in Export of my system, SAPinst is throwing error that --
  "Error connecting to http://Entportal:50000/sap/monitoring/SystemInfoServlet. The provided user data might be incorrect or user might be locked.:
  and when I check the "administrator" user account, it is getting locked. Even though I manually unlock it and update the password is secure storage, still when I run SAPinst, again it is getting locked. I have also chnged the path of my temporary directory to c:\temp which has no spacees in it, according to SAP instructions.
  I have raised the issue through OSS, but still, in the mean time can sombody help me?
  Regards,
  Mandar

  Hi Akshay,
  I am not using any ID. SAPInst itself is trying to access systeminformationservlet using administrator account. at this stage it is failing to get the correct password and thats why my administrator account is getting locked.
  Regards,
  Mandar.

• Installing software from a Domain Administrator account

  I have a machine on a domain. I have logged into that machine using a Domain Admin account, and am trying to install some software. Theoretically, a Domain Admin should have full rights on that local machine, yes? However, when I try to do that install I
  get an error message:
  "The system administrator has set policies to prevent this installation."
  Any ideas of why this is occurring? What settings might I need to adjust to give the domain admin installation access?

  It works with a local admin account. Doesn't work with domain account. I installed my first domain server 2 days ago and have no idea what I'm doing, which may be contributing to the problem, but from everything I can tell it seems like the "Domain Admins"
  group has full permissions on all computers in the domain. I'm very confused why this is happening when, as you said, the domain admin should become a local admin by default (and I never messed with any default settings).
  If it works with a local account, but is denied with a domain account, then it is either permissions (unlikely based on what you've described), a domain policy setting denying installations to domain accounts, or possibly some other software/security blocking
  the installation.
  examine the eventlogs on the pc, for events relating to the attempted installation.
  these articles may help you to check for settings that can cause this, you would then need to work out where those settings are coming from, so you can consider changing them.
  http://social.technet.microsoft.com/Forums/windows/en-US/6c62e6cc-7893-421d-8b90-8e14eaa1eb48/the-system-administrator-has-set-policies-to-prevent-this-installation?forum=itprovistasecurity
  http://www.itninja.com/question/the-system-administrator-has-set-policies-to-prevent-this-installation-1?from=appdeploy.com
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• GMail Account Repeatedly Locking

  Have a fairly new Pre Plus from Verizon, running WebOS 1.4.....email worked fine for first week or so, but recently my GMail account has started to lock.....I get a message prompting me to unlock my account via a captcha screen - I go to that screen, enter my information and successfully unlock, and successfully retrieve my emails........then a few hours later, it's locked again....this has been going on repeatedly for a few days, and is getting a bit tedious.....
  IMAP/POP settings on the Pre are as they should be (ports, etc.), and IMAP and POP are enabled in my GMail account......have even tried deleting and then re-establishing my account, with no luck.....have also searched and searched for this happening to others, to no avail
  Anybody else experience this or - more importantly -- have any idea how to fix it?
  Thanks in advance.....

  I have the EXACT same problem.  I contacted Google and this is what they said:
  Thanks for your report. We apologize for any confusion or inconvenience.
  For your security, we may temporarily disable access to your account if
  our system detects abnormal usage. It will take between one minute and 24
  hours for you to regain access, depending on the behavior our system
  detected.
  Abnormal usage includes, but is not limited to:
  - Receiving, deleting, or popping out large amounts of mail (via POP) in a
  short period of time
  - Sending a large number of undeliverable messages (messages that bounce
  back)
  - Using third party file-sharing or storing software, or software that
  automatically logs in to your account and that is not supported by Gmail
  - Multiple instances of your Gmail account opened
  - Browser-related issues. Please note that if you find your browser
  continually reloading while attempting to access your inbox, it is likely
  a browser issue, and it may be necessary to clear your browser's cache and
  cookies.
  If you feel that access should not have been disabled, please visit
  https://mail.google.com/support/bin/answer.py?answer=53897 for
  troubleshooting tips.
  Sincerely,
  The Google Team
  Does anyone know what to do?

• Domain Administrator Accounts

  In 2003 there are Schema Admin accounts etc. I don't see these in 2008. Is it all inclusive in the Built-In Admin group?
  I have been looking around but can't find anything about it.

  Hi
  We have Schema Admin, Enterprise Admin, Domain Admin built in security groups and you add your self in to these groups to get the permissions.
  If you search in AD for schema admin you will find it as group.

• Administrator Account locked

  hi,
  in our Portal the Administrator Account gets locked every 2-3 hours. we also change the password in the secure store.
  is there a chance to find out, why? a central log or something? i can't analyze every log, because we have 7 instances with each 4 servers.

  Hi Andre
  If you check the security logs in j2ee/cluster/server<n>/log/system, when the user gets locked you will see log entries from the failed authentication attempt, and more information including hopefully the IP address of the machine where the request comes from, and the login module stack used during the authentication. Maybe this information will help isolate the origin of the invalid administrator password.
  An alternative approach, which is dependent on the version of the AS Java is to activate some tracing.
  There is a new trace location available for problems such as this - com.sap.security.core.locking
  You can get the info from this location by adding it to the Log Configurator service in the Visual Administrator if it is available, and adjusting the severity accordingly. Then examine the defaultTraces when the user gets locked
  However it is easier in this case to use the web diagtool. Follow note 1045019 to deploy the web diagtool, if not done before
  Then to start the trace, follow example 2 and add just com.sap.security.core.locking and start the trace. The potential problem here is that the diagtool will be running for 2-3 hours while you wait for the user to be locked, however hopefully by just tracing location com.sap.security.core.locking the resultant log will not be too large. The diagtool will capture traces from all servers in a system
  If the location is not available in the diagtool then perhaps it is not available for your system SP
  When the user is locked, hopefully the trace will give you information about the origin IP, the stack trace and the auth stack used

• How to unlock local administrator accounts

  Hi all,
  I have a XP machine that is a member of Win2008 domain and the local
  administrator account is locked out
  whenerver i restart xp machine automaticaly locked out admin accounts.
  how to unlock the xp or windows 7 machines local admin accounts over gpo.
  Regards,
  Udaiyar

  How to unlock local administrator account
  Using CMD (Adminstrator)First
  you’ll need to open a command prompt in administrator (Ctrl + X + A in Windows 8).
  Then, run the following command to unlock the account.
  net user administrator /active:yes
  Then, log out and you’ll now see the Administrator account as a choice.
  To lock this account again, type
  the following command:
  net use administrator /active:no
  http://www.suctips.com/2014/02/how-to-enable-local-administrator.html

• Administrator account is disable when deploying windows 7 x64 captured image

  I’m using MDT 2012 update 1. I create one deployment share with two task sequence.
  The task sequences are: one for windows 7 x86 and the other one is windows 7 x64.
  Both are working fine until I try to sysprep and capture with all the windows updates.
  Sysprep and capture windows 7 x86 with all windows update work fine. I’m able to deploy the captured image without an error.
  My problem is with the windows 7 x64 captured image. I’m able to sysprep and capture the windows7 x64 with all the windows update. Once the capture is completed, I change the .win file in my windows 7 x64 task sequence to point to the new .win file (capture
  image with all the windows update). When I deploy windows 7 x64 on a pc, the OS get install but boot up to the sign on screen. The Task sequence does not complete. No error message. Cannot log in as local or domain administrator, account is disable.
  Why does it work with my windows 7 x86 image and not with my windows 7 x64 image?
  With my windows 7 x86 image the task sequence completed successfully with no error and it logon automatically in windows but not with my windows 7 x64 image.
  Both task sequences are the same.
  Let me know if any info for this please.
  thanks

  They should both work, perhaps you missed a step when creating the x64 image.
  1. Verify that the Windows 7 x64 image was created cleanly, with no errors. Sysprep ran with no errors.
  2. Verify that you created the windows 7 deployment task sequence cleanly. I would do a windiff of the TS.xml and unattend.xml file from both folders in the deployment share.
  3. Try running without a domain. Some domain's have a GP set to disable the local administrator account.
  Keith Garner - keithga.wordpress.com