Built-in DOMAIN\Administrator account permanent strange blocking

Allan Stark 476 Reputation points
2020-10-14T19:28:45.183+00:00

The infrastructure is not mine.

Domain/Forest Windows 2012, 5 virtualized DCs in 4 Sites.
Built-in DOMAIN\Administrator account is permanently blocked in HQ Site on one of the DC (PDC Emul.).
Company personnel does not want to disable or rename this account.

Account Lockout Policy is default: 15/5/15

In the Security Events I see all: 4740, 4768, 4624, 1955 (Timeout/AD Object replication error to other DC in same AD Site)
But I can't see any foreign IP addresses or network names except local DC's.
In EventID 4768 Client Address = ::1
In EventID 4624 Source Network Address = IPv6 of this DC

RDP is disabled (I know about same behavior with disabled RDP NLA.
This DC has no other software except PRTG (with network monitoring settings) and ESET Antivirus (Real-Time Protection is only enabled).

Audit NTLM showed 8002 rare events.

All latest updates.

Netwrix Account Lockout Examiner and old MS ALTools told obvious thing, that Administrator's account blocks immediately after the GP Lockout Policy timeout expires.

Any fresh ideas?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,543 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,681 questions
{count} votes

Accepted answer
  1. Allan Stark 476 Reputation points
    2020-10-20T12:53:13.34+00:00

    Suddenly i found the problem.

    Their infrastructure has some servers in the MS Azure and one server has opened RDP to the Internet...

    So it used transitive network logon which was displayed in a special (without source) way in the PDC DC's logs.

    I used FullDebug flag in nltest (/DBFlag:2080FFFF) on this DC and investigated the source in C:\Windows\debug\netlogon.txt

    I hope this information will help someone.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Hannah Xiong 6,221 Reputation points
    2020-10-15T02:34:44.427+00:00

    Hello,

    Thank you so much for posting here.

    As far as I know, the built-in domain administrator account will not be locked out actually. It still could be successfully logged in as soon as the correct password is used.

    I did the test in my lab. Configured the account lockout policy as shown below. Logged on to the BDC with the domain admin account and typed the wrong password many times. There were events logged on the BDC as shown below.
    32409-11.png
    32484-12.png

    Then on the PDC, I could see the event ID 4740 and 4771. Even though there is event 4740, the admin account could still be logged in as soon as the correct password is used.

    32493-13.png

    Do we see the 4771 or 4776 event log (including the user's account name and the error code is 0X18 or 0xc000006a) near the 4740 event? Besides, we could try to reset its password to see whether it could solve the issue.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. Dave Patrick 426.1K Reputation points MVP
    2020-10-14T19:38:20.667+00:00

    account is permanently blocked in HQ Site on one of the DC

    Since it only affects a single domain controller the simplest solution may be to stand up a new one for replacement, then demote /decommission the problematic one.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  3. Allan Stark 476 Reputation points
    2020-10-19T15:17:42.073+00:00

    In the end I strongly advised to block or at least rename the default Domain Administrator account.
    Thank you HannahXiong-MSFT, I didn't know about that AD Administrator's feature.

    0 comments No comments