Java Administrator account locks frequently

In our java only system, the administrator user (and others) lock frequently with failed logins.  Is there a way to determine the source of the lock, such as the originating IP address?
We have a complex landscape, and as of yet have been unable to find a RFC or other connection with invalid credentials.
Thank you.

I found the answer myself.  It is logged:
usr\sap\<sid>\<instance>\cluster\server0\log\system\security.0.log
com.sap.security.core.util.SecurityAudit#Plain###Guest     | LOGIN.ERROR     | NONE = null     |      | Login Method=[default], UserID=[adminstrator], IP Address=[xxx.xxx.xxx.xxx], Reason=[Authentication did not succeed.]
Hope this helps someone else.

Similar Messages

  • Administrator account locked/password was changed

    Hi All,
    Administrator account locked/password was changed. Is there any way to see the logs to see when this happened or by whom?
    Any way to lock this down then  it can't be changed by another administrator account? Limit it so it can only be seen/changed by  some people like A or B?
    Regards
    Trilochan

    Hi,
    I am able to see the log but we are having trouble reading them. They are not very straightforward i got some inforamtion about what a log contains in following link but the format is different from here.
    http://help.sap.com/saphelp_nw04/helpdata/en/03/37dc4c25e4344db2935f0d502af295/frameset.htm
    We are getting the log in this format so not able to find when and by whom.
    #1.5 #0017A438CB3C00240000023400001F1C00047F7D19D6AFB9#1266075187981#/System/Security/Usermanagement#sap.com/irj#com.sap.security.core.persistence#Guest#0####15e3ebd018b511df8b390017a438cb3c#SAPEngine_Application_Thread[impl:3]_0##0#0#Warning#1#com.sap.security.core.persistence#Java###Authentication failed on LDAP server: back end message #1#[LDAP: error code 49 - Invalid Credentials]#
    #1.5 #0017A438CB3C00240000023500001F1C00047F7D19D79CBB#1266075188044#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0####15e3ebd018b511df8b390017a438cb3c#SAPEngine_Application_Thread[impl:3]_0##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest     | LOGIN.ERROR     | NONE = null     |      | Login Method=[default], UserID=[jb99532], IP Address=[64.25.25.7], Reason=[Authentication did not succeed.]#
    #1.5 #0017A438CB3C001D000001E700001F1C00047F7D1D2D5575#1266075243998#/System/Security/Audit#sap.com/irj#com.sap.security.core.util.SecurityAudit#Guest#0####37476fe018b511dfc25b0017a438cb3c#SAPEngine_Application_Thread[impl:3]_16##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest     | USERACCOUNT.MODIFY     | USERACCOUNT = UACC.CORP_LDAP.066277700     |      | SET_ATTRIBUTE: lastpasswordchange=[0001266075243920], SET_ATTRIBUTE: passwordchangerequired=[false]#
    Regards
    Trilochan

  • Administrator Account locked on Netweaver 7.1 Java Stack

    Hello all,
    I try to find a possibility how I can unlock the administrator account in Netweaver Java stack 7.1
    We do not have a double stack ABAP / JAVA installed so the solution with the SAP * falls off, I think
    What should I do so I can unlock the administrator account in Java ?
    Thanks in advance
    Best regards
    Vito

    Hi Prabhat,
    I have found a link which described my problem
    the emergency user is actually the SAP* User
    http://help.sap.com/saphelp_nwce711/helpdata/en/0b/50ad3e1d1edc61e10000000a114084/frameset.htm
    Thanks
    Best regards
    Vito
    Edited by: Vito Cecere on Jul 13, 2011 1:27 PM

  • Administrator Account locked

    hi,
    in our Portal the Administrator Account gets locked every 2-3 hours. we also change the password in the secure store.
    is there a chance to find out, why? a central log or something? i can't analyze every log, because we have 7 instances with each 4 servers.

    Hi Andre
    If you check the security logs in j2ee/cluster/server<n>/log/system, when the user gets locked you will see log entries from the failed authentication attempt, and more information including hopefully the IP address of the machine where the request comes from, and the login module stack used during the authentication. Maybe this information will help isolate the origin of the invalid administrator password.
    An alternative approach, which is dependent on the version of the AS Java is to activate some tracing.
    There is a new trace location available for problems such as this - com.sap.security.core.locking
    You can get the info from this location by adding it to the Log Configurator service in the Visual Administrator if it is available, and adjusting the severity accordingly. Then examine the defaultTraces when the user gets locked
    However it is easier in this case to use the web diagtool. Follow note 1045019 to deploy the web diagtool, if not done before
    Then to start the trace, follow example 2 and add just com.sap.security.core.locking and start the trace. The potential problem here is that the diagtool will be running for 2-3 hours while you wait for the user to be locked, however hopefully by just tracing location com.sap.security.core.locking the resultant log will not be too large. The diagtool will capture traces from all servers in a system
    If the location is not available in the diagtool then perhaps it is not available for your system SP
    When the user is locked, hopefully the trace will give you information about the origin IP, the stack trace and the auth stack used

  • User account locking frequently

    Hi all,
    I have a application user account in my db. And this account is getting locked frequently.
    I checked dba_audit_session for invalid login attempts but nothing was there. Other users invalid login attempts was there in dba_audit_session.
    Is there anyway to trace this.
    Please help me in resolving this issue.
    Thanks in advance.
    Prem

    audit create session by appln whenever not successful;HTH
    Enrique
    PS. Check the value of the audit_trail parameter just to verify that audit is actually enabled. You can verify the connection attempts with:
    select * from dba_audit_trail where username = 'APPLN';Edited by: Enrique Orbegozo on Oct 16, 2008 9:05 AM

  • AD Account Locking Frequently

    We have only 1 user affecting in the company and his AD Account is locking out dozen times a day for months.  
    I have done the following:
    Clear Temporary Files
    There is no 3rd party devices
    Delete Cookies / Temp Files / History / Saved passwords / Forms / from all the Browsers.
    Delete all temp files.
    Remove Mapped drives from my computer.  
    Remove stored passwords from Control Panel
    Check the Account threshold 
    Reset password and forced password changed
    Event viewer / auditing both from Server side / Client side (Not much luck)  
    Lockout tool to check which DC locking out and event view logs from DC's(But nothing indicating why the account is getting locked)
    New laptop issued
    Last effort was to deleted AD account and re-create
    Anyone have any ideas? As this is frustrating issue to pin down
     

    Account Locked Out Troubleshooting-EventCombMT - Have a look for details.
    http://social.technet.microsoft.com/wiki/contents/articles/4585.account-locked-out-troubleshooting-eventcombmt.aspx
    Regards,
    Biswajit
    MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
    Blog:
      Script Gallary:
      LinkedIn:
    Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

  • Windows 7: Trust Relationship Error - Local Administrator Account Locked.

    I have 2 Windows 7 Professional machines that recently locked me out citing the "Trust Relationship between this workstation and primary domain failed".
     I assumed all I would have to do is log in as local administrator and remove it from the domain and then re-add it.  When I tried to log on, it told me that I have the password was incorrect - which I knew it wasn't.  After a
    few tries I got a different message that said that the account was locked.  No idea how this could have happened.  Every other local account was locked as well.
    I checked the AD on our 2003 server and I didn't see anything out of the norm.  The computers were in the correct OU, and were not disabled in anyway.  I searched online for a solution, but they all required me to be able to log on to the local
    admin, which is disabled.  
    I tried to boot to Safe Mode with a Command Prompt and typed in: net user administrator /active:yes .
     It told me that the change had been made, but when I reboot it still shows the local account as disabled.
    Any suggestions would be greatly appreciated.  
    Edit: It is Windows 7 Professional x64 

    I have had this issue twice as well. However I have been always been able to log in with local admin rights. removing then rejoining to domain seems to never get things back to normal for me. Once it is reset and joined back to the domain all software just
    seems to be missing but still there at the same time. Like Antivirus shows its installed in c:\program files but its not running. If I go to domain users start menu everything is missing but go into c:\program files and its all there. So every time I have
    seen this error a reimage is what I do seems to work a lot better than dealing with the head aches. Sorry I was not any help but that is my two cents.

  • Administrator account locked...any solutions?

    the master password was not accepted when i tried to login to the system info link as an administrator on successful installation of the NW04(630). there was apparently nothing worng with the entered password......still, any solutions on how to unlock the account? also, to change password?

    If you are talking about J2EE stack, then you may look at the option to activate superadmin account (SAP*) through
    Config Tool => UME properties.
    Follow this link for more info:
    http://help.sap.com/saphelp_nw04s/helpdata/en/3a/4a0640d7b28f5ce10000000a155106/content.htm
    Regards,
    Mike
    Message was edited by: Mike Puzankov

  • Visual Administartor account locked

    Hi,
    How to unlock vial administrator account. And also how to changes the password VA.Please help
    Thanks
    Kristene

    Hi,
    Check this thread-
    administrator account locked...any solutions?
    Regards,
    Moorthy

  • ABAP+JAVA System Copy -- Administrator account getting locked

    Hi,
    I am in the process of doing system copy of my portal to a new server. As per the SAP instructions, I had updated the JDK and SP levels of my EP to the latest supported ones.
    Now when i am doing JAVA Add-in Export of my system, SAPinst is throwing error that --
    "Error connecting to http://Entportal:50000/sap/monitoring/SystemInfoServlet. The provided user data might be incorrect or user might be locked.:
    and when I check the "administrator" user account, it is getting locked. Even though I manually unlock it and update the password is secure storage, still when I run SAPinst, again it is getting locked. I have also chnged the path of my temporary directory to c:\temp which has no spacees in it, according to SAP instructions.
    I have raised the issue through OSS, but still, in the mean time can sombody help me?
    Regards,
    Mandar

    Hi Akshay,
    I am not using any ID. SAPInst itself is trying to access systeminformationservlet using administrator account. at this stage it is failing to get the correct password and thats why my administrator account is getting locked.
    Regards,
    Mandar.

  • Java-administrator password keeps getting locked

    Hi,
    We have a portal 7.3 in which the Java-administrator password keeps getting locked. I can't see anything in the log traces in NWA. The only thing I've found is in security_audit logfile which doesn't really say much:
    #2.0 #2014 07 17 05:47:03:913#+0200#Info#/System/Security/Audit/PrincipalModification#
    #BC-JAS-SEC-UME#com.sap.security.core.sda#C000AC142D1F08D90000000000003284#52888950000000002#tc~bl~txmanager~plb#com.sap.security.core.util.SecurityAudit#Guest#0#JTA Transaction : 127261#040FAA9B0D6511E4C5A4000003270576#040faa9b0d6511e4c5a4000003270576#040faa9b0d6511e4c5a4000003270576#0#Thread[RMI/IIOP Worker [0],5,Dedicated_Application_Thread]#Plain##
    User account modified    | USERACCOUNT.MODIFY    | UACC.PRIVATE_DATASOURCE.un:Administrator    |     | SET_ATTRIBUTE: islocked=[true], SET_ATTRIBUTE: lockreason=[1]#
    Please advice,
    Thanks.

    Hi,
    there exists a trace location that should provide useful information for such cases. It is described in SAP note:
    1493272 - A user gets locked automatically
    My suggestion is add the location com.sap.security.core.userlocking as
    specified in the attachment to the note and once it is added, set that
    location to DEBUG and wait for the user to be locked again. Hopefully additional information concerning the origin of the bad credentials will be written to traces.
    Exactly how you capture the traces depends on the frequency in which
    the user becomes locked. For example if the user becomes locked every
    few minutes, after adding the location in the configtool and
    restarting the system, I suggest using the Security Troubleshooting
    Wizard to do so. Refer to note 1332726 - Troubleshooting Wizard and
    its attachments. Create a custom incident that is a copy of the
    Authentication incident and add this location
    com.sap.security.core.userlocking  to the newly created incident
    Set the wizard to use this new incident for trace collection and wait
    for the user to become locked. Then immediately stop the wizard's
    trace collection
    I
    f the locking occurs less frequently than every few minutes, it is
    preferable to use the NWA to adjust the severity of these locations
    and their sublocations to DEBUG and wait for the issue to reoccur
    com.sap.security.core.userlocking
    com.sap.engine.interfaces.security
    com.sap.engine.services.httpserver.HttpTraceRequest.traceRaw
    com.sap.engine.services.httpserver.HttpTraceResponse.traceHeaders
    com.sap.engine.services.security.authentication
    com.sap.security.core.logon
    com.sap.security.core.ticket
    com.sap.security.core.util
    com.sap.security.core.server.jaas
    See Log Configuration with SAP NetWeaver Administrator
    http://help.sap.com/saphelp_nw73/helpdata/en/47/af551efa711503e10000000a42189c/content.htm
    Don't forgot to change these back to default severity levels after the
    issue has captured in the traces
    Regards,
    David

  • Prevent locking of Administrator account

    Hello,
    We'd like to expose our portal to the internet. This means everyone will be able to logon to the portal (after creating an UME user account). UME is configured to lock user accounts after 3 invalid login attempts.
    Now how can we prevent anonymous internet users to lock the Administrator account or other system accounts like ADSUser?
    The first option would be to implement this on the revert proxy, e.g. block requests containing j_user=Administrator either in the URL during a GET request or in the body during a POST request.
    However, because of performance reasons, especially because of the need to scan all POST requests, this option doesn't look very attractive.
    A second option would be to deploy a new JAAS LoginModule, configured to be always executed as the first one, that checks the username first and halts the login process if the username is Administrator and the request is coming from a certain IP (the reversed proxy), e.g. by throwing a RuntimeException in the login method (will that work? any other possibility besides throwing a RuntimeException?).
    This doesn't look as very clean solution either.
    What would be the best (safe, clean, easy) way to stop anonymous users from locking the Administrator user account?
    Thanks!
    Sigiswald

    At the end we decided to write a custom LoginModule anyway.
    import java.io.IOException;
    import java.net.InetAddress;
    import java.net.UnknownHostException;
    import java.util.ArrayList;
    import java.util.Arrays;
    import java.util.Iterator;
    import java.util.List;
    import java.util.Map;
    import javax.security.auth.Subject;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.CallbackHandler;
    import javax.security.auth.callback.NameCallback;
    import javax.security.auth.callback.UnsupportedCallbackException;
    import javax.security.auth.login.LoginException;
    import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
    import com.sap.engine.lib.security.LoginExceptionDetails;
    import com.sap.engine.lib.security.http.HttpGetterCallback;
    import com.sap.security.api.IUser;
    import com.sap.security.api.NoSuchUserException;
    import com.sap.security.api.UMException;
    * <p>
    * <div>This LoginModule either succeeds or fails, but in fact it
    * <u>never</u> authenticates the user. What is meant is that even if
    * all relevant methods of the LoginModule API - i.e. login and commit
    * - return true, indicating success, the Subject is never
    * authenticated. Therefore this LoginModule should <u>never</u> be
    * configured as SUFFICIENT.</div>
    * </p>
    * <p>
    * <div>The purpose of this LoginModule is to abort the authentication
    * process in case an unauthorized user tries to authenticate as
    * administrator and thus it stops unauthorized users from locking
    * administrator accounts.</div>
    * </p>
    * <p>
    * <div>This LoginModule accepts two optional configuration
    * options:<ul>
    * <li>ip_allow</li>
    * <li>ip_deny</li></ul>
    * The value of both options is a comma separated list of IPv4 ranges.
    * e.g.
    * <code>ip_allow=145.50.76.81,145.50.77.0-145.50.77.255,194.196.236.70-194.196.236.71</code>
    * The localhost is added implicitly.</div>
    * </p>
    * <p>
    * <div>If the IP address of the client that sent the HTTP request is
    * within the range(s) defined by ip_allow and is not within the
    * range(s) defined by ip_deny, authentication succeeds. If this is
    * not the case, authentication fails if the user tries to
    * authenticate by username (and password) and supplies the username
    * of an existing UME user that is assigned the internal_use_only
    * role. Otherwise, authentication succeeds.</div>
    * </p>
    * <p>
    * <div>To meet its purpose, i.e. prevent the locking of administrator
    * user accounts, this LoginModule <u>should</u> be configured as
    * <u>REQUISITE</u> and should be in the login stack <u>before</u> the
    * standard BasicPasswordLoginModule.</div>
    * </p>
    * @author smadou
    public final class AdministratorFilterLoginModule extends AbstractLoginModule {
      private static final String INTERNAL_USE_ONLY =
        LogonUtil.getRoleid("internal_use_only");
      private static final String IP_ALLOW = "ip_allow";
      private static final String IP_DENY = "ip_deny";
      private static boolean initialized;
      private static List IPRANGE_ALLOW = new ArrayList();
      private static List IPRANGE_DENY = new ArrayList();
      private CallbackHandler callbackHandler;
      private boolean succeeded;
      public void initialize(
        Subject subject,
        CallbackHandler callbackHandler,
        Map sharedState,
        Map options) {
        super.initialize(subject, callbackHandler, sharedState, options);
        this.callbackHandler = callbackHandler;
        this.succeeded = false;
        AdministratorFilterLoginModule.initialize(options);
      public boolean login() throws LoginException {
        try {
          if (ipAllowed()) {
            succeeded = true;
            return true;
        } catch (UnsupportedCallbackException e) {
          throwUserLoginException(e);
        } catch (IOException e) {
          throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
        String logonid = null;
        IUser user = null;
        String userid = null;
        try {
          logonid = getLogonid();
          user = logonid == null ? null : LogonUtil.getUser(logonid);
          userid = user == null ? null : user.getUniqueID();
        } catch (UnsupportedCallbackException e) {
          throwUserLoginException(e);
        } catch (IOException e) {
          throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
        } catch (NoSuchUserException e) {
          // TODO connect to NetWeaver logging API - DEBUG
          e.printStackTrace();
        } catch (UMException e) {
          throwUserLoginException(e);
        if (userid == null) {
          return true;
        if (user.isMemberOfRole(INTERNAL_USE_ONLY, LogonUtil.RECURSIVE)) {
          throwNewLoginException(
            "Access Denied to user with logonid "
              + logonid
              + " having role "
              + INTERNAL_USE_ONLY
              + "!");
        succeeded = true;
        return true;
      public boolean commit() throws LoginException {
        return succeeded;
      public boolean abort() throws LoginException {
        return succeeded;
      public boolean logout() throws LoginException {
        succeeded = false;
        return true;
      private static synchronized void initialize(Map options) {
        if (initialized) {
          return;
        IPRANGE_ALLOW.addAll(Arrays.asList(AddressRange.parseRanges("127.0.0.1")));
        try {
          IPRANGE_ALLOW.addAll(
            Arrays.asList(
              AddressRange.parseRanges(
                InetAddress.getLocalHost().getHostAddress())));
        } catch (UnknownHostException e) {
          // TODO connect to NetWeaver logging API - INFO
          e.printStackTrace();
        String ipAllow = (String) options.get(IP_ALLOW);
        String ipDeny = (String) options.get(IP_DENY);
        if (ipAllow != null && ipAllow.length() > 0) {
          IPRANGE_ALLOW.addAll(Arrays.asList(AddressRange.parseRanges(ipAllow)));
        if (ipDeny != null && ipDeny.length() > 0) {
          IPRANGE_DENY.addAll(Arrays.asList(AddressRange.parseRanges(ipDeny)));
        initialized = true;
      private String getClientIp()
        throws UnsupportedCallbackException, IOException {
        HttpGetterCallback hgc = new HttpGetterCallback();
        hgc.setType(HttpGetterCallback.CLIENT_IP);
        callbackHandler.handle(new Callback[] { hgc });
        return (String) hgc.getValue();
      private String getLogonid()
        throws IOException, UnsupportedCallbackException {
        NameCallback nc = new NameCallback("username: ");
        callbackHandler.handle(new Callback[] { nc });
        return nc.getName();
      private boolean ipAllowed()
        throws UnsupportedCallbackException, IOException {
        String clientIp = getClientIp();
        return match(IPRANGE_ALLOW, clientIp) && !match(IPRANGE_DENY, clientIp);
      private boolean match(List ipRanges, String ip) {
        for (Iterator i = ipRanges.iterator(); i.hasNext();) {
          AddressRange range = (AddressRange) i.next();
          if (range.match(ip)) {
            return true;
        return false;
    import com.sap.security.api.IRole;
    import com.sap.security.api.IRoleFactory;
    import com.sap.security.api.IUser;
    import com.sap.security.api.IUserFactory;
    import com.sap.security.api.NoSuchRoleException;
    import com.sap.security.api.NoSuchUserException;
    import com.sap.security.api.UMException;
    import com.sap.security.api.UMFactory;
    * @author smadou
    public final class LogonUtil {
      static final boolean RECURSIVE = true;
      static String getRoleid(String uniqueName) {
        try {
          IRoleFactory rf = UMFactory.getRoleFactory();
          IRole role = rf.getRoleByUniqueName(uniqueName);
          return role.getUniqueID();
        } catch (NoSuchRoleException e) {
          // TODO connect to NetWeaver logging API - WARN
          e.printStackTrace();
          throw new SecurityException(
            "NoSuchRoleException while getting role with unique name ""
              + uniqueName
              + "": "
              + e.getMessage());
        } catch (UMException e) {
          // TODO connect to NetWeaver logging API - WARN
          e.printStackTrace();
          throw new SecurityException(
            "UMException while getting role with unique name ""
              + uniqueName
              + "": "
              + e.getMessage());
      static IUser getUser(String logonid)
        throws NoSuchUserException, UMException {
        IUserFactory uf = UMFactory.getUserFactory();
        return uf.getUserByLogonID(logonid);
    * This code is based on
    * http: //drc-dev.ohiolink.edu/browser/fedora-core/tags/2.0/src/java/fedora/server/security/IPRestriction.java
    * @author smadou
    public final class AddressRange {
      private static final int IP_OCTETS = 4;
      private static final int OCTET_MIN = 0;
      private static final int OCTET_MAX = (int) Math.pow(2, 8) - 1;
      private long start;
      private long end;
      private AddressRange(long start, long end) {
        this.start = start;
        this.end = end;
      public boolean match(String address) {
        return match(parseAddress(address));
      private boolean match(long address) {
        return address >= start && address <= end;
      private static long parseAddress(String address) {
        String[] octets = address.split("\.");
        if (octets.length != IP_OCTETS) {
          throw new IllegalArgumentException("invalid adress: "" + address + """);
        long lAddress = 0;
        for (int i = 0, n = octets.length; i < n; i++) {
          lAddress += parseOctet(octets[ i ], n - i - 1);
        return lAddress;
      private static long parseOctet(String octet, int byteNum)
        throws NumberFormatException {
        long lOctet = Long.parseLong(octet);
        if (lOctet < OCTET_MIN || lOctet > OCTET_MAX) {
          throw new IllegalArgumentException("invalid octet: "" + octet + """);
        return lOctet * (long) Math.pow(Math.pow(2, 8), byteNum);
      private static AddressRange parseRange(String range) {
        String[] parts = range.split("-");
        if (parts.length > 2) {
          throw new IllegalArgumentException("invalid range: "" + range + """);
        long start = parseAddress(parts[0].trim());
        long end = parts.length == 1 ? start : parseAddress(parts[1].trim());
        return new AddressRange(start, end);
      public static AddressRange[] parseRanges(String ranges) {
        String[] parts = ranges.split(",");
        AddressRange[] addressRanges = new AddressRange[parts.length];
        for (int i = 0, n = parts.length; i < n; i++) {
          addressRanges[ i ] = parseRange(parts[ i ].trim());
        return addressRanges;

  • After trying to change permissions on my computer so others on my network can access files, my external Hard Drive has a lock on it and I can't access files. I've tried repairing permissions, logging in under another Administrator account, using Terminal

    After trying to change permissions on my computer so others on my network can grab files, my external Hard Drive has a lock on it and I can't access files. I've tried repairing permissions, logging in under another Administrator account, using Terminal to fix the problem, downloaded BatChmod but nothing works… Any other suggestions? I have an Imac running OS10.6.8.

    There is suddenly a lock icon on my external backup drive!
    Custom Permissions

  • Domain Administrator account being locked up by PDC

    Hi everyone,
    My PDC is locking up my domain administrator (administrateur in french) account.
    System event logs :
    The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
    consider resetting the password of the account mentioned above.
    Level : Error
    Source : Directory-Services-SAM
    Event ID : 12294
    Computer : Contoso-PDC
    User : System
    There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
    I tried to change the name of the domain administrator account from "administrateur" to "administrator".
    Now there is "Audit failure" events poping up in the security event logs.
    Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
    Here is the detail log :
    An account failed to log on.
    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Administrateur
    Account Domain: CONTOSO
    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc0000064
    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -
    Network Information:
    Workstation Name: CONTOSO-PDC
    Source Network Address: -
    Source Port: -
    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    On the PDC i checked :
    Services : None of them are started with the "administrateur" account
    Network Share : There is no network share ...
    Task Scheduler : None of the tasks are launch with the "administrateur" account.
    And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
    Any ideas?
    ps : Sorry for the probable english mistakes :(

    Hi,
    Thanks for you answers.
    San4wish :
    Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
    About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
    fixed this vulnerabilty.
    So i doubt its a conficker type worm.
    Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs.

  • Administrator User Account Locked

    Hi.
    I locked into my local portal with Admin user/pwd.
    It asks me to reset the pwd.
    I did it and I forgottenly given wrong password.
    When I tried to log in the portal with the Admin user/pwd, it is showing message as "Account Locked"
    Can anyone help on this issue.
    Regards
    Bala

    Hi Balachandar P,
    If you forgot or lock "Administrator or J2EE_ADMIN" password just follow below steps:
    <u><b>STEP-1: Enable "SAP*"</b></u>
    1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
    Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
    2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
    3.Double-click on the property "ume.superadmin.activated = TRUE"
    4.Double-click on the property "ume.superadmin.password=<Enter any password ex: abc123>"
    5.Save.
    6.Restart the engine.
    <u><b>STEP-2: Login with "SAP*" into portal</b></u>
    1. http://<host>:<Port>/useradmin/index.jsp
    2. Enter userid / password as" SAP* / <password ex: abc123>"
    3. Search for "Administrator" user
    4. Reset or change password for "Administrtor"
    <u><b>STEP-3: Disable "SAP*"</b></u>
    1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
    Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
    2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
    3.Double-click on the property "ume.superadmin.activated = FALSE"
    4.Save.
    5. Restart the engine.
    <u><b>STEP-4: Login with "Administrator"</b></u>
    1. http://<host>:<Port>/useradmin/index.jsp
    2. Enter userid / Password as "Administrator / <password>
    3. it will ask change password just change it.
    <b>Thanks,
    Nagaraju Parlapalli</b>

Maybe you are looking for

  • User exit/BADi to populate the header text in MIRO transaction

    Hi all, I am searching user exit or badi to populate the header text in MIRO transaction. My requirement is, before post the invoice I need to populate the some text in Header text field (MIRO -> Details tab -> header text field). I need to populate

  • Migrating from weblogic 8 to 10.3

    Hi, i'm current migrating my codes from 8 to 10.3. However upon deployment, i encounter some problems. I have recompile my codes using the JDK 6. External framework i'm using are Struts 1.2.9, Hibernate 3.1.2 and Spring 1.2.6 When i install my codes

  • Itunes producer doesn't publish my ebook

    i can't upload my new ebook created by ibooks author. this is the message i see:

  • X58 Platinum Raid 1 Setup Problems

    I am having difficulties installing and setting up Raid during my Windows 7 installation and wanted to see where I was going wrong.  My setup is as follows: Windows 7 Upgrade CD MSI X58 Platinum motherboard 1 Seagate 250gb HDD (I intend to put the OS

  • Convert rows into columns nad vice versa in 10g

    how to convert rows into columns in 10g??