0
We have a service account in our AD environment (Windows 2003) got locked out frequently.
some background information:
- Windows 2003 domain
- the account is set to never expire
- we never changed the password of this account
- The interval between each time i unlock the account is totally random.
Sometimes, the account runs normally for a week or two without any problem; while some other time, it locks again one day after i unlock
At first, i thought the account might be used by a process or schedule job or something which has a misconfigured password. I checked security logs on all DCs but found nothing. I tried the Microsoft Account Lockout Tool as well, and no luck as well.
We checked internal network traffic (assuming if the lockout is triggered by a server/endpoint machine), but couldn't find any invalid login attempt using this account.
We have lots of other service accounts in the same AD environment, and none of them are having the same issue.
I'm really running out of clue .... any help is much appreciated!
Thanks a lot!
an additional info - i reckon it has something to do with the expiration date (even it's set to never expired), so i tried giving it a expiring date like Dec 31, 2050 but that changed nothing. The account got locked out again few days after i unlocked it last time. – Sun Cleverland – 2016-09-05T09:50:43.797
So when you say We have a service account in our AD environment (Windows 2003) got locked out frequently but you cannot find anything relevant for this login in ALL DCs security event viewer logs... What is the indicator that the account is being locked out? Does something fail to run with this service and if so what are you using it for like FTP automation, some server service doing something, etc. I assume someone is not just seeing in AD users and computer or NET USER commands so give a little explanation of at least what this server is touching domain resource and function wise. – Pimp Juice IT – 2016-09-06T02:39:03.563
this is a service account used for backup purpose. As soon as it got locked, the backup job will fail. This account has been used by the backup service for years and the problem only started occurring few months ago. Provided that nothing's been changed in the backup job as well and as i mentioned, the password has not been changed on this account too.... if it's locked by invalid login attempt, there should be something logged in event viewer. – Sun Cleverland – 2016-09-06T02:50:57.307
What does the error message in your backup software say when the failure occurs and what are you using software wise like ArcServe. etc. and is it backing up via network or some client agent? I assume the backup job fails on various servers and not just one so there's no commonalities there either? – Pimp Juice IT – 2016-09-06T02:52:19.573
It's is ArcServe. The message is "The request is denied by the agent. The username/or password is invalid (Node=machinename@IPaddress)". Since jobs haven't been modified for long long time (no new nodes added), it's using the same account/password combination for years. And as described, it happens randomly. If one of the backup job has a wrong username/password, i assume the locked up should happen in a regular basis (all jobs are running either weekly or daily at particular scheduled time). The strange part of this lock up thing is sometimes we can run without problem for a wk or two – Sun Cleverland – 2016-09-06T02:59:03.533
Sun - Being familiar with ArcServe Backup, I think 1. check to confirm the client agent versions on the machines and the ArcServe Server are at compatible versions (or call support to confirm if you can and needed. I assume you "just in case" double checked the obvious: https://arcserve.zendesk.com/hc/en-us/articles/202872585-E8533-The-request-is-denied-by-the-agent-The-username-and-or-password-is-invalid-Node-Node-Name-IP-Address- options, configs, etc. all listed there. Including local security policy settings. Is this a file server, email server, or what where it fails server wise?
– Pimp Juice IT – 2016-09-06T03:15:46.110Thanks for your input. I'm checking the link you gave me. sorry i'm not veryfamiliar with ArcServe actually. In the meanwhile, im also reading the one of the arcserve log univag.log and somehow i can locate the time interval when locked out happened. The log has a line saying "Logonuser failed, try again rc=1909". i did some searching, but couldn't find any info abt this rc=1909. wondering if you would have any clue? – Sun Cleverland – 2016-09-06T08:25:38.567