hidden hit counter
Welcome to WindowsForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Domain Administrator Lockout

  
   Win 2000/NT/98/ME (Home) -> Active Directory RSS
Next:  Error Diagnostics & Repair in under 2 minutes  
Author Message
MC

External


Since: Nov 15, 2007
Posts: 8



(Msg. 1) Posted: Fri Feb 01, 2008 9:54 am
Post subject: Domain Administrator Lockout
Archived from groups: microsoft>public>win2000>active_directory (more info?)
Hi,
I see in system even log SAM database error messages saying that Account
Can't be locked, due to resource error
Event ID:12294, and that account is domain\administrator

That means something or someone is trying to logon to domain as
administrator but failing. (also can't lock the account, because I
disabled). How I find from what IP or workstation these attempt being made?
Event log doesn't mention
Thanks
MC

 >> Stay informed about: Domain Administrator Lockout 
Back to top
Login to vote
Danny Sanders

External


Since: May 03, 2006
Posts: 94



(Msg. 2) Posted: Fri Feb 01, 2008 9:54 am
Post subject: Re: Domain Administrator Lockout [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Are you sure you don't have a service on that computer running under the
administrator account with an old admin password?

Check the services that are set to start up automatically. Look for one that
is not started and see what account it is using.


hth
DDS

"MC" wrote in message

> Hi,
> I see in system even log SAM database error messages saying that Account
> Can't be locked, due to resource error
> Event ID:12294, and that account is domain\administrator
>
> That means something or someone is trying to logon to domain as
> administrator but failing. (also can't lock the account, because I
> disabled). How I find from what IP or workstation these attempt being
> made?
> Event log doesn't mention
> Thanks
> MC

 >> Stay informed about: Domain Administrator Lockout 
Back to top
Login to vote
MC

External


Since: Nov 15, 2007
Posts: 8



(Msg. 3) Posted: Fri Feb 01, 2008 11:34 am
Post subject: Re: Domain Administrator Lockout [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
No, service is running as Administrator account.
Besides, it only happens 1 or 2 times a week.
When I look at Security Log, I see at least 100 attempt within 1-2minute
period.
MC

"Danny Sanders" wrote in message

> Are you sure you don't have a service on that computer running under the
> administrator account with an old admin password?
>
> Check the services that are set to start up automatically. Look for one
> that is not started and see what account it is using.
>
>
> hth
> DDS
>
> "MC" wrote in message
>
>> Hi,
>> I see in system even log SAM database error messages saying that Account
>> Can't be locked, due to resource error
>> Event ID:12294, and that account is domain\administrator
>>
>> That means something or someone is trying to logon to domain as
>> administrator but failing. (also can't lock the account, because I
>> disabled). How I find from what IP or workstation these attempt being
>> made?
>> Event log doesn't mention
>> Thanks
>> MC
>
>
 >> Stay informed about: Domain Administrator Lockout 
Back to top
Login to vote
Jorge de Almeida Pinto [M

External


Since: Aug 22, 2006
Posts: 80



(Msg. 4) Posted: Thu Feb 07, 2008 2:38 pm
Post subject: Re: Domain Administrator Lockout [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
use NETLOGON debug logging

Enabling debug logging for the Net Logon service
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
DBFlag = 0x2080FFFF (in: %windir%\debug\netlogon.log)


google for NETLOGON debug logging and you will find more info

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MC" wrote in message

> Hi,
> I see in system even log SAM database error messages saying that Account
> Can't be locked, due to resource error
> Event ID:12294, and that account is domain\administrator
>
> That means something or someone is trying to logon to domain as
> administrator but failing. (also can't lock the account, because I
> disabled). How I find from what IP or workstation these attempt being
> made?
> Event log doesn't mention
> Thanks
> MC
 >> Stay informed about: Domain Administrator Lockout 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Account Lockout - Is there a utility that can be used to determine where a particular account is getting locked out from. I have a user's account that is getting locked out periodically. Most likely it's due to some service attempting to log in under that users'..

Account lockout logging?? - How can I get detailed lockout logging? My account keeps getting locked out every 10-20 minutes. My password changes too frequently to save it anywhere, so there are no applications that I'm aware of, that has an old password saved. It's been almos...

Account lockout disabled but still locking out. - Hi Guys. I'm wondering if you can help us. We trialled the account lockout on one of our domains but have decided to disable it since it was locking them out numerous times daily (with SMS logons and stuff). Anyhow, we've disabled it in the default..

Account Lockout event log only recorded ... sometimes - Hello, I've got my policy set up on Account Management success and Failure and I have been getting records in the event log when user accounts lock out (a 644 event) and I still get them, but it seems to be a hit-or-miss thing recently. If I weren't...

Adding 2003 server Backup Domain Controller to 2000 Domain - I am trying to add a 2003 server with active directory to serve as a backup domain controller to a 2000 Domain. When trying to add AD on the 2003 server, I get an error that the forest is not prepared and to use the Adprep command-line tool to prepare...
   Win 2000/NT/98/ME (Home) -> Active Directory All times are: Eastern Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum

Categories:
 Windows XP
  Win 2000/NT/98/ME
 Windows Vista!

[ Contact us | Terms of Service/Privacy Policy ]