Account lockout - no audit failures on DC

[canadajoe]

I have an admin account to update mcafee that gets locked out every night but when looking in the security events on the DC I can find no logon failures for that account. I can't determine what system is locking the account if I can't find these. Has anyone else had this problem?

 

[tfg13]

What are you logging on your DC? What are you pushing out to the domain as needing to be logged?

 

[monsterjta]

Possibly an automated/scheduled brute force attack, trying to login to another server/workstation? Wouldn't necessarily be logged in the DC event log if it's a domain account.

Can you restrict this account only to log into one machine? Or is this a service that runs on multiple machines? If just one machine, restrict that user account to it.

I guess that leaves ME with a question:

If a user account is restricted to login to only one machine, and someone is attempting to login with that account on a different machine...would that account get locked out if it exceeds the logon attempt count???

Hope This Helps,

Good Luck!

 

[canadajoe]

Aren't all domain logons logged on the DC? This is an account set in the properties of the Mcafee console to update dats from one of our internal servers but not all servers are failing to update. Every day the service account is locked out.