7,023 questions
May be able to do something via GPO
https://woshub.com/cached-domain-logon-credentials-windows/
-
--please don't forget to upvote and Accept as answer if the reply is helpful--
Tracking down cached domain admin passwords
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 19%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Magnolia Mendoza
0
Reputation points
This is for a smaller client of mine. They have a Hyper-V server hosting a domain controller and an apps server. Notably, the Hyper-V server is domain-joined.
We use a software that identifies and tracks changes in Active Directory (among other things) and I have been investigating an alert that the domain admin password has a large badPwdCount attribute. At the time of writing, the attribute is currently at 304.
We started rotating all admin passwords on a monthly basis and the alert triggered a few hours after the domain admin password was rotated.
I initially feared there was a virus somewhere in the environment and ran AV scans on all workstations and servers. Nothing was found.
I checked the security event logs on the domain controller for event 4625 and surprisingly, there were very few: maybe 3 events that seemed unrelated to the current problem. This confused me as at this point, I had seen this attribute reach over 1000. I researched methods of investigating locked out accounts and started by using Microsoft's account lockout tool. Didn't really find much and pursued other avenues.
Stumbled across Netwrix's account lockout tool. This did identify scheduled tasks on one of the workstations that could be causing these bad login attempts. I investigated this on the workstation (let's call it PC1) in question and deleted those scheduled tasks. The next day, the number was still incrementing at a similar rate.
I also checked for credentials in the credential manager on PC1 and did not find any for the domain admin.
For whatever reason, I decided to check the security event logs on the Hyper-V server hosting the domain controllers and there I found all of the login attempts on the domain admin account. I have no idea why they are appearing in the event logs of the Hyper-V server rather than the domain controller.
The events I saw for failed logins on the domain admin account came from three different workstations (one of which was one that Netwrix identified, PC1).
I checked the event logs on one of the workstations and found more of event 4625. The application triggering the login attempts was consent.exe, which I believe is related to UAC. I could not identify any more information about what process might be causing these failed logins.
I'm not sure where to proceed from here and looking for advice and suggestions for next steps. Happy to provide any more information you believe could be relevant.
Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server User experience Other
20,212 questions
Windows for business Windows Client for IT Pros User experience Other
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-03-10T01:05:12.4333333+00:00 -
Anonymous
2023-03-10T13:17:20.17+00:00 Just checking if there's any progress or updates?
--please don't forget to
upvoteandAccept as answerif the reply is helpful-- -
Magnolia Mendoza 0 Reputation points
2023-03-10T23:42:00.63+00:00 I took a backup of the registry, zeroed out cached credentials in the registry, and rebooted. Keeping an eye on the logs now for new login attempts.
-
Anonymous
2023-03-10T23:50:13.5533333+00:00 Sounds good, please don't forget to close up the thread here by marking answer.
Sign in to comment -
-
Magnolia Mendoza 0 Reputation points
2023-03-10T23:52:39.88+00:00 I found it! I noticed a new grouping of three failed sign ins on a different PC so I logged into that one and checked its own event logs. I found an event 4625 that was from the domain admin, although apparently it was a successful login. Checked the PID in task manager and found it was a Veeam backup agent that was still trying to take backups.
I checked the settings and it's trying to use the domain admin credentials to access a shared drive on the Hyper-V to store the backups, which explains why the failed login attempts were appearing in the Hyper-V's event logs.
Apparently, we'd set this up for them a while a back for workstation backups but it didn't work as they wanted. I think it was supposed to be uninstalled but never was. I'll remove it from the affected workstations.