AD Account Got Locked Out

0

We have a service account in our AD environment (Windows 2003) got locked out frequently.

some background information:

  • Windows 2003 domain
  • the account is set to never expire
  • we never changed the password of this account
  • The interval between each time i unlock the account is totally random.

Sometimes, the account runs normally for a week or two without any problem; while some other time, it locks again one day after i unlock

At first, i thought the account might be used by a process or schedule job or something which has a misconfigured password. I checked security logs on all DCs but found nothing. I tried the Microsoft Account Lockout Tool as well, and no luck as well.

We checked internal network traffic (assuming if the lockout is triggered by a server/endpoint machine), but couldn't find any invalid login attempt using this account.

We have lots of other service accounts in the same AD environment, and none of them are having the same issue.

I'm really running out of clue .... any help is much appreciated!

Thanks a lot!

Sun Cleverland

Posted 2016-09-05T09:48:44.513

Reputation: 51

an additional info - i reckon it has something to do with the expiration date (even it's set to never expired), so i tried giving it a expiring date like Dec 31, 2050 but that changed nothing. The account got locked out again few days after i unlocked it last time. – Sun Cleverland – 2016-09-05T09:50:43.797

So when you say We have a service account in our AD environment (Windows 2003) got locked out frequently but you cannot find anything relevant for this login in ALL DCs security event viewer logs... What is the indicator that the account is being locked out? Does something fail to run with this service and if so what are you using it for like FTP automation, some server service doing something, etc. I assume someone is not just seeing in AD users and computer or NET USER commands so give a little explanation of at least what this server is touching domain resource and function wise. – Pimp Juice IT – 2016-09-06T02:39:03.563

this is a service account used for backup purpose. As soon as it got locked, the backup job will fail. This account has been used by the backup service for years and the problem only started occurring few months ago. Provided that nothing's been changed in the backup job as well and as i mentioned, the password has not been changed on this account too.... if it's locked by invalid login attempt, there should be something logged in event viewer. – Sun Cleverland – 2016-09-06T02:50:57.307

What does the error message in your backup software say when the failure occurs and what are you using software wise like ArcServe. etc. and is it backing up via network or some client agent? I assume the backup job fails on various servers and not just one so there's no commonalities there either? – Pimp Juice IT – 2016-09-06T02:52:19.573

It's is ArcServe. The message is "The request is denied by the agent. The username/or password is invalid (Node=machinename@IPaddress)". Since jobs haven't been modified for long long time (no new nodes added), it's using the same account/password combination for years. And as described, it happens randomly. If one of the backup job has a wrong username/password, i assume the locked up should happen in a regular basis (all jobs are running either weekly or daily at particular scheduled time). The strange part of this lock up thing is sometimes we can run without problem for a wk or two – Sun Cleverland – 2016-09-06T02:59:03.533

Sun - Being familiar with ArcServe Backup, I think 1. check to confirm the client agent versions on the machines and the ArcServe Server are at compatible versions (or call support to confirm if you can and needed. I assume you "just in case" double checked the obvious: https://arcserve.zendesk.com/hc/en-us/articles/202872585-E8533-The-request-is-denied-by-the-agent-The-username-and-or-password-is-invalid-Node-Node-Name-IP-Address- options, configs, etc. all listed there. Including local security policy settings. Is this a file server, email server, or what where it fails server wise?

– Pimp Juice IT – 2016-09-06T03:15:46.110

Thanks for your input. I'm checking the link you gave me. sorry i'm not veryfamiliar with ArcServe actually. In the meanwhile, im also reading the one of the arcserve log univag.log and somehow i can locate the time interval when locked out happened. The log has a line saying "Logonuser failed, try again rc=1909". i did some searching, but couldn't find any info abt this rc=1909. wondering if you would have any clue? – Sun Cleverland – 2016-09-06T08:25:38.567

Answers

0

To find out the reason of account lock out, you must configure the advanced audit policy setting. It will help you to track and audit logon events in GPO. Once you have successfully configured the policy, You could query the security event log for event ID 4740. Please refer to below article which summarizes the information in detail - https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

user270460

Posted 2016-09-05T09:48:44.513

Reputation: 1

Welcome to Super User. Can you provide instructions on how to configure the policy setting and what to look for in event ID 4740? While linking to source material is helpful and encouraged, on this Q&A site we value definitive answers that remain useful even when external links become broken. Thanks for contributing. – I say Reinstate Monica – 2016-09-08T13:01:59.247

i did check audit log but there's no failed security event using this particular account. I tried the microsoft account locked out tool as well which again found nothing. I want to know, is it possible, that the account actually isn't used by any program/script, but the AD itself expires the account somehow (though the account is set to never expired) – Sun Cleverland – 2016-09-12T09:16:28.700

Asked: 2016-09-05T09:48:44.513

Viewed: 537 times

Active: 2016-09-07T11:08:52.230