Announcement

Collapse
No announcement yet.

Hidden logged on user (frequently locked out administrator account)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hidden logged on user (frequently locked out administrator account)

    Hi, I've experiencing a weird problem after resetting my domain Administrator password.
    After reset the password, frequently failed login attempts have been recorded in the system which is causing the account being locked out frequently as well because violating our domain password policy - (5 invalid login attempts) - I'm monitoring it using Microsoft Account Lockout tool.
    First, I'm suspect if there is a service configured to run using domain Administrator account but after performs a check there is no services ran using it (already switched before reset the password), checking them using Somarsoft DumpSec tool. Then found a tool (Sysinternals Psloggedon) and ran it in all Servers, found in Additional Domain Controller (we've 2 DC's) and ISA Server 2004 if domain Administrator still logged on locally. Even after restart the Server the tool still detect if domain Administrator has been logged on in those two Servers. How do I terminate the hidden session of Administrator account?

    Please advice.

    Regards,
    Acung
    Last edited by lzd212; 5th March 2008, 05:31.

  • #2
    Re: Hidden logged on user (frequently locked out administrator account)

    AFAIK the Administrator account (as opposed to other accounts in the Domain Admins group) can NEVER be locked out -- thats one of its powers (and weaknesses)
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Hidden logged on user (frequently locked out administrator account)

      Thank you for the reply, I've read about it as well but found if the account in locked out condition several times (the check box ticked). Usually it's happen when I got this error in the system (but not always):

      Event Type: Error
      Event Source: SAM
      Event Category: None
      Event ID: 12294
      Date: 3/5/2008
      Time: 4:14:59 PM
      User: GMSI\Administrator
      Computer: GMSI-DC02
      Description:
      The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
      Data:
      0000: a5 02 00 c0 ..


      And found NTDS Replication warning messages logged in the system as well (frequently):

      Event Type: Warning
      Event Source: NTDS Replication
      Event Category: Replication
      Event ID: 1083
      Date: 3/5/2008
      Time: 4:45:00 PM
      User: NT AUTHORITY\ANONYMOUS LOGON
      Computer: GMSI-DC02
      Description:
      Active Directory could not update the following object with changes received from the domain controller at the following network address because Active Directory was busy processing information.

      Object:
      CN=Administrator,CN=Users,DC=globalmediasvc,DC=fam
      Network address:
      10236a1d-95c4-4e33-9c5c-fd2534e12760._msdcs.globalmediasvc.fam

      This operation will be tried again later.

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


      Followed by:

      Event Type: Information
      Event Source: NTDS Replication
      Event Category: Replication
      Event ID: 1955
      Date: 3/5/2008
      Time: 4:45:00 PM
      User: NT AUTHORITY\ANONYMOUS LOGON
      Computer: GMSI-DC02
      Description:
      Active Directory encountered a write conflict when applying replicated changes to the following object.

      Object:
      CN=Administrator,CN=Users,DC=globalmediasvc,DC=fam
      Time in seconds:
      0

      Event log entries preceding this entry will indicate whether or not the update was accepted.

      A write conflict can be caused by simultaneous changes to the same object or simultaneous changes to other objects that have attributes referencing this object. This commonly occurs when the object represents a large group with many members, and the functional level of the forest is set to Windows 2000. This conflict triggered additional retries of the update. If the system appears slow, it could be because replication of these changes is occurring.

      User Action
      Use smaller groups for this operation or raise the functional level to Windows Server 2003.

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

      For those errors, I've trying to follows this article: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=7926
      But the issue still not resolved yet, no duplicate object has been found (LDP tool returned 1 object when searching for the computer name of the GUID base DNS name mentioned in the warning message, and when I moved the replication partner from Default-First-Site-Name to a new created site the issue seems to be resolved but when moved it back then it's logged again.

      Seems those errors logged because of the failed login attempts using Administrator account, is it correct? Please advice.

      Regards,


      Acung

      Comment


      • #4
        Re: Hidden logged on user (frequently locked out administrator account)

        If not services, do you have any mapped drives on these servers which are configured to use the Administrator's username and password? As you have said, there is definitely something on the two servers which is trying to authenticate using the old Administrator password.

        MurTuzA
        The Never Ending Loop of User Rights
        START
        Q. Why is Windows so insecure?
        A. Because everyone runs as Administrator.
        Q. Why does everyone run as Administrator (even when they know better)?
        A. Because they don't understand security and are afraid they will be prevented from doing things.
        Q. Why don't they understand security?
        A. Because they run as Administrator, bypassing all security.
        LOOP TO START

        Comment


        • #5
          Re: Hidden logged on user (frequently locked out administrator account)

          Hi, thank you for your reply. I've checking stored account in all Servers before posting and nothing related with Administrator account has been found and no network drive mapping as well. All applications and services ran using it has been switched before resetting the password.
          Yesterday, when checking those Servers again I found if the Administrator account was not listed as locally logged on user again and I do nothing related with the issue because I don't know what to do. Since last week, the only change I've made is the password policy in GPO (Default Domain Policy), I removed the minimum and maximum password age setting. I really want to know what happening.......

          Regarding NTDS error, I'll open a new thread with the relevant subject.

          Regards,

          Acung
          Last edited by lzd212; 12th March 2008, 03:29.

          Comment


          • #6
            Re: Hidden logged on user (frequently locked out administrator account)

            Hi,

            Our way to find it..................:

            We use eventcomb tool to search event IDs 529,644,675,676 & 681 along with the user ID.

            This will tell us from which workstations these wrong attempts are comming which narrow downs the troubleshooting approach.

            Eventcomb is a MS utility to search event logs.

            Regards,
            Kapil Sharma
            ~~~~~~~~~~~~~
            Life is too short, Enjoy It.

            Comment


            • #7
              Re: Hidden logged on user (frequently locked out administrator account)

              Hi, I did it already and found lots of failure authentication (mostly Administrator account) from some computers and Servers also, then auditing those computers for any tasks or services or stored credential configured using Administrator account and got nothing. Did I missed anything? or could someone please assist on how to debug this issue?

              Please advice.

              Regards,

              Acung

              Comment


              • #8
                Re: Hidden logged on user (frequently locked out administrator account)

                Why not rename the account to something other than Administrator and see if your lock out problem goes away?
                Cheers,

                Rick

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                Comment


                • #9
                  Re: Hidden logged on user (frequently locked out administrator account)

                  Originally posted by lzd212 View Post
                  Hi, I did it already and found lots of failure authentication (mostly Administrator account) from some computers and Servers also, then auditing those computers for any tasks or services or stored credential configured using Administrator account and got nothing. Did I missed anything? or could someone please assist on how to debug this issue?

                  Please advice.

                  Regards,

                  Acung
                  You may have a stored password on a workstation. Go into CP/User Accounts on the suspect workstation, Advanced Tab and remove any stored UN/PWs there. This area doesn;t get updated when you change passwords - until you store it again.
                  Let me know if that helps.
                  Last edited by teiger; 17th March 2008, 21:39. Reason: Typo
                  TIA

                  Steven Teiger [SBS-MVP(2003-2009)]
                  http://www.wintra.co.il/
                  sigpic
                  Im honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                  We dont stop playing because we grow old, we grow old because we stop playing.

                  Comment


                  • #10
                    Re: Hidden logged on user (frequently locked out administrator account)

                    Hi Teiger, thank you for your advice. It was the first thing I've done before posting this issue and nothing there. But seems the issue has been resolved by renaming the domain Administrator account, a warning and error logs as mentioned in the first post has been gone. It's been 4 days since I've renamed it and those warning/error message stopped already (just want to make sure about the status before updating this post). Thank you everyone....

                    Just curious....what's the real problem? How to find out which process using Administrator account which is causing those errors being logged? I'm expecting another error logged when renamed the Administrator account if there is a process using that account. No new error related with Administrator account has been logged since it's renamed, an error that still logged in the system was Kerberos related (with Kerberos logging enabled) and it's been happening since few months ago.

                    Event Type: Error
                    Event Source: Kerberos
                    Event Category: None
                    Event ID: 3
                    Date: 3/18/2008
                    Time: 8:58:16 AM
                    User: N/A
                    Computer: GMSI-DC02
                    Description:
                    A Kerberos Error Message was received:
                    on logon session
                    Client Time:
                    Server Time: 0:58:16.0000 3/18/2008 Z
                    Error Code: 0xd KDC_ERR_BADOPTION
                    Extended Error: 0xc00000bb KLIN(0)
                    Client Realm:
                    Client Name:
                    Server Realm: GLOBALMEDIASVC.FAM
                    Server Name: host/gmsi-dc02.globalmediasvc.fam
                    Target Name: host/[email protected]
                    Error Text:
                    File: 9
                    Line: ae0
                    Error Data is in record data.

                    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
                    Data:
                    0000: 30 15 a1 03 02 01 03 a2 0.....
                    0008: 0e 04 0c bb 00 00 c0 00 ......
                    0010: 00 00 00 03 00 00 00 .......


                    There is any relation between this error and previous error? It's logged in both DCs. Please advice.

                    Best regards,


                    Acung
                    Last edited by lzd212; 18th March 2008, 02:20.

                    Comment


                    • #11
                      Re: Hidden logged on user (frequently locked out administrator account)

                      At the risk of stating something that you may have done already ... Check out the article below for Kerberos related errors

                      http://www.microsoft.com/technet/pro.../tkerberr.mspx

                      Looks like you have a case of stale kerberos tickets. My advice would be to use the klist utiliy and purge all the kerberos tickets on the problem machines. That should get rid of the errors.


                      MurTuzA
                      The Never Ending Loop of User Rights
                      START
                      Q. Why is Windows so insecure?
                      A. Because everyone runs as Administrator.
                      Q. Why does everyone run as Administrator (even when they know better)?
                      A. Because they don't understand security and are afraid they will be prevented from doing things.
                      Q. Why don't they understand security?
                      A. Because they run as Administrator, bypassing all security.
                      LOOP TO START

                      Comment

                      Working...
                      X