Administrator account got locked out

[bombergirl]

I'm working in an organisation when my administrator account is being keep by the IT mgr. Administrator like myself, we have a userid with domain admin accounts. Recently...I check on my active directory users and computers, administrator account,was locked!! Thinking maybe my IT mgr accidentally lock the account, i enable it back...these has been happening for a few weeks...whenever i enable it back...i went back the following day to check, the account was locked. Frustrated, I ask my IT mgr..but he said he has not used the administrator account at all. Any one can help, how can i figure out who has been trying to get into my server???

 

[NortonES2]

Are any services \ applications running as this account (ie overnight backups) which could have an incorrect password entered?

-------------------------------

If it doesn't leak oil it must be empty!!

 

[FulcrumSys]

I haven't tried this but here is a thought. If I thought that there was someone attacking the Administrator ID, First, I would check the event log to see if a machine name was logged. If it wasn't, I would change the id to another name. Create a new ID called Administrator with no authorities. If someone should crack this ID, they have another layer of security to go through. At the same time, your event log should log what machine made the attempt. Just a thought. I'm curious what others think.

 

[c0r0]

I suffered from this a while back. Turned out that I was still logged on to another server, via a remote control session under an old password.

 

[bombergirl]

veritas backup is running everyday, but all along i don't have this problem until recently...

thanks fulcrumsys, i think i will try tracking what machine made the attempt to login to my domain

c0r0...I can confirm that I am not using the administrator id to login to any server via remote control

 

[dholbrook]

Just a general suggestion:

ALWAYS CREATE A SECOND FULL ADMIN ACCOUNT WITH A DIFFERENT NAME! You never know when you will need it to recover the original account when it gets locked out.
An important clue, ONLY THE SYSTEM CAN LOCK OUT AN ACCOUNT, but any account can be disabled by an administrator.

If this lock out happens right after a password change, then you have some service running on some system using your account to log on, and every time it tries to start up you will lock out the account because of the old password. As a rule of thumb, do not use any admin account to run a service. However,if the service needs this level of access, then create a special account with the correct privilage access, and set its password to never change.

Some very good suggestions here already, and I will add that you need to make sure that the current user name on all systems goes away when the user logs out. Otherwise, if you work on a system with your admin account and the next user just enters his password (remember this is what he is used to doing if his last logon left his usernane there)over and over until he locks out your account.

I also highly concur with renaming the original administrator account something else and creating a dummy administrator name account with no privilages just to block cracking attempts. You also need to check the status of this dummy account once in awhile to see if it has been locked up, as this will be a clue your systems are being hacked.

HTH,

David