Built-in DOMAIN\Administrator account permanent strange blocking

Question

The infrastructure is not mine.

Domain/Forest Windows 2012, 5 virtualized DCs in 4 Sites.
Built-in DOMAIN\Administrator account is permanently blocked in HQ Site on one of the DC (PDC Emul.).
Company personnel does not want to disable or rename this account.

Account Lockout Policy is default: 15/5/15

In the Security Events I see all: 4740, 4768, 4624, 1955 (Timeout/AD Object replication error to other DC in same AD Site)
But I can't see any foreign IP addresses or network names except local DC's.
In EventID 4768 Client Address = ::1
In EventID 4624 Source Network Address = IPv6 of this DC

RDP is disabled (I know about same behavior with disabled RDP NLA.
This DC has no other software except PRTG (with network monitoring settings) and ESET Antivirus (Real-Time Protection is only enabled).

Audit NTLM showed 8002 rare events.

All latest updates.

Netwrix Account Lockout Examiner and old MS ALTools told obvious thing, that Administrator's account blocks immediately after the GP Lockout Policy timeout expires.

Any fresh ideas?

Answer 1

Suddenly i found the problem.

Their infrastructure has some servers in the MS Azure and one server has opened RDP to the Internet...

So it used transitive network logon which was displayed in a special (without source) way in the PDC DC's logs.

I used FullDebug flag in nltest (/DBFlag:2080FFFF) on this DC and investigated the source in C:\Windows\debug\netlogon.txt

I hope this information will help someone.

Answer 2

Hello,

Thank you so much for posting here.

As far as I know, the built-in domain administrator account will not be locked out actually. It still could be successfully logged in as soon as the correct password is used.

I did the test in my lab. Configured the account lockout policy as shown below. Logged on to the BDC with the domain admin account and typed the wrong password many times. There were events logged on the BDC as shown below.

Then on the PDC, I could see the event ID 4740 and 4771. Even though there is event 4740, the admin account could still be logged in as soon as the correct password is used.

Do we see the 4771 or 4776 event log (including the user's account name and the error code is 0X18 or 0xc000006a) near the 4740 event? Besides, we could try to reset its password to see whether it could solve the issue.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

account is permanently blocked in HQ Site on one of the DC

Since it only affects a single domain controller the simplest solution may be to stand up a new one for replacement, then demote /decommission the problematic one.

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

In the end I strongly advised to block or at least rename the default Domain Administrator account.
Thank you HannahXiong-MSFT, I didn't know about that AD Administrator's feature.