No announcement yet.

Administrator Account Cannot Access Active Directory

  • Filter
  • Time
  • Show
Clear All
new posts

  • Administrator Account Cannot Access Active Directory

    Hi I have a Win2k3 server running active directory, that has been running for quite a while. Recently I've added exchange 2007 on a newly built win2k3 server (not a DC), and since then, if I log into any computer other than the DC as the admin account, I cannot access the active directory any more. I get an error "Naming information cannot be located because: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you." Looking in the security log on my DC, it shows a failure audit:
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 672
    Date: 8/13/2009
    Time: 3:52:27 PM
    Computer: DC1
    Authentication Ticket Request:
    User Name: judy
    Supplied Realm Name: GUARD
    User ID: -
    Service Name: krbtgt/GUARD
    Service ID: -
    Ticket Options: 0x40810010
    Result Code: 0x12
    Ticket Encryption Type: -
    Pre-Authentication Type: -
    Client Address:
    Certificate Issuer Name:
    Certificate Serial Number:
    Certificate Thumbprint:
    For more information, see Help and Support Center at
    Notice that the user name is listed as judy. This was an old employee who's account has been disabled and deleted quite a while ago. I have no idea why when I try to access AD the admin account wants to authenticate with that user. I tried renaming the admin account to judy and back to admin and that didn't help. What did work, is adding the user judy back to AD. I'm at a loss and don't know how these two accounts got intermingled. Any thoughts or suggestions would be greatly appreciated.

  • #2
    Re: Administrator Account Cannot Access Active Directory

    I have never experienced your problem but this might help isolate the problem (not in any specific order):

    1. If possible, remove Exchange 2007 (properly) and see if the problem still persists.

    2. Use ADSIEDIT.msc to find info about the Judy account. This might point you in the right direction. DISCLAIMER - Only make changes if you know excatly what you are doing!

    3. At the command prompt at one of your PCs on the domain - type "set" and press enter. This will show the logon server and other domain info.

    4. Use Wireshark and capture packets during the authentication process - you might see some fishy authentication process during the ticket granting ticket (TGT) steps.

    Good luck!


    • #3
      Re: Administrator Account Cannot Access Active Directory

      Kesshin, thanks for the help.

      1. Unfortunately I cannot remove Exchange 2007. I've already migrated my old 2003 mailboxes and decommissioned that server.
      2. I've looked at the adsiedit, but I gotta say that I'm not that proficient with it and I don't see the Judy account in there at all, nor any mention of it in the admin properties. (I've deleted the judy account previously via the AD GUI)
      3. When I run 'set' it all looks good to me:
      ALLUSERSPROFILE=C:\Documents and Settings\All Users
      APPDATA=C:\Documents and Settings\administrator.GUARD\Application Data
      CommonProgramFiles=C:\Program Files\Common Files
      HOMEPATH=\Documents and Settings\administrator.GUARD
      Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem;C:\Program Files\AT
      I Technologies\ATI Control Panel;C:\Program Files\ATI Technologies\ATI.ACE\
      PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
      ProgramFiles=C:\Program Files
      USERPROFILE=C:\Documents and Settings\administrator.GUARD

      4. not sure how to use wireshark during the logon process if you could help me out on that I'd be greatful.


      • #4
        Re: Administrator Account Cannot Access Active Directory

        Could be a DNS of replication related issue.

        Or, just a shot in the dark...
        Can you create a new Domain Admin account, and can you logon succesfully with that account into any computer other than the DC?

        If you can logon successfully, then try switching group membership between the domain\Administrator and the domain\newadmin - so that the domain\Administrator then only is a member of just the groups Domain admins and Domain Users. And make Domain Admins its primary group.
        Now try again login with the Administrator account,, any difference?

        If you can login succefully now into any computer other than the DC, try make the Domain Users the primary group again and then add the previous groups back in one by one. How many groups the Administrator was a member of anyway?


        This posting is provided "AS IS" with no warranties, and confers no rights.


        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts


        • #5
          Re: Administrator Account Cannot Access Active Directory

          Rems, I've actually tried that with no luck. If I copy the Admin user the new user works fine. There is something specifically in the admin AD component that has associated itself with the deleted account. I gone to the point of deleting all it's group memberships (except 'administrators' cause AD doesn't let you) and no change. I wish there was a way to delete this user and add it again, but I can't delete 'built-in' accounts.

          Also, I am always able to login successfully ad the admin, but once I'm in, I can't access the AD cause it then thinks that the user is Judy.


          • #6
            Re: Administrator Account Cannot Access Active Directory

            Sorry for my late reply!

            Google and download the installer - once you run the application it should be pretty easy to start capturing packets. The tricky part is filtering and making sense of what you are capturing. From your post, you seem to have some solid IT skills so I don't think that you will have any trouble installing and getting started.

            I am not a Wireshark guru by any means, but here is a link that can get you started with some basic filters. I would pay attention to DNS captures and/or src IPs for your DC.


            I wonder if you could do an Authoritative Restore of the deleted Judy object and then try deleting it again....or, change the SID of your current account. (not sure if this can be done though)

            Out of curiosity, can you login with the Judy account using your password?

            I am really just trying to think out of the box here so my apologies in advance!


            • #7
              Re: Administrator Account Cannot Access Active Directory

              Thought I'd give an update. Problem solved, there was a saved password on the admin user, and ran "control keymgr.dll" deleted the entry and that did it.


              • #8
                Re: Administrator Account Cannot Access Active Directory

                Thanks for the update!

                Was that stored on the DC, Exchange, or client PC?

                Glad that you solved it!