On our NT domain we have begun to experience the frequent (multiple times daily) lockout of out network administrator user.
Looking at the Security logs for Event ID's 644 it seems aparant that the source workstations are 3 different Server boxes within our LAN, this is happening randomly but multiple times a day.
Having searched around the three cuplrit servers we've eliminated the possibility that any drive mapping or services with the wrong credentials could be causing the issue - no one else can or will access these servers other than our 2 admins.
We temporarily renamed the admin account and this stopped it from locking out.
Now then, to try and make a contingency for the weekend, so that backup jobs and [rocesses etc etc would cont inue to run over the weekend, we set the bad logon threshold to 600 (during thursday/friday we had no more than 20 instances of the lockout occuring, with corresponding Event 644's each time appearing in the logs).
Lo and behold this morning we found the admin account to be locked out, but strangely there was only 1 Event Id 644 in the log, from friday evening - where I would have expected to see 600 of them.
Again, within 90 mins of me unlocking the account again this morning we have had another lockout with only one 644 displaying in the log.
Anyone any ideas where to go with this?
Looking at the Security logs for Event ID's 644 it seems aparant that the source workstations are 3 different Server boxes within our LAN, this is happening randomly but multiple times a day.
Having searched around the three cuplrit servers we've eliminated the possibility that any drive mapping or services with the wrong credentials could be causing the issue - no one else can or will access these servers other than our 2 admins.
We temporarily renamed the admin account and this stopped it from locking out.
Now then, to try and make a contingency for the weekend, so that backup jobs and [rocesses etc etc would cont inue to run over the weekend, we set the bad logon threshold to 600 (during thursday/friday we had no more than 20 instances of the lockout occuring, with corresponding Event 644's each time appearing in the logs).
Lo and behold this morning we found the admin account to be locked out, but strangely there was only 1 Event Id 644 in the log, from friday evening - where I would have expected to see 600 of them.
Again, within 90 mins of me unlocking the account again this morning we have had another lockout with only one 644 displaying in the log.
Anyone any ideas where to go with this?
