ADDS domain admin 'administrator' account locked

Denis Payne 176 Reputation points
2023-09-01T15:38:01.9733333+00:00
The built in ADDS administrator account is getting locked once an hour. 

There is only one Windows Server 2012 R2 Standard domain controller, something on this domain controller is causing the account to lock.

I've checked scheduled tasks, services, events but cannot figure what the source of this account lock. 

Event 4740 is logged every hour when the account is locked. 

Prior to event 4740, event 4771 is logged five times which is what the account lockout threshold is set to. 

Event 4625 is logged before and after the account is locked, but not the same time as account lock. 

Is there a way I can determine the cause of these account locks? 


Source: Microsoft Windows security
Event ID: 4740
	A user account was locked out.

	Subject:
	Security ID:		SYSTEM
	Account Name:		%ServerName%$
	Account Domain:		%DomainName%
	Logon ID:		0x3E7

	Account That Was Locked Out:
	Security ID:		%DomainName%\administrator
	Account Name:		Administrator

	Additional Information:
	Caller Computer Name:	%ServerName%


Source: Microsoft Windows security
Event ID: 4771
	Kerberos pre-authentication failed.

	Account Information:
		Security ID:		%DomainName%\administrator
		Account Name:		Administrator

	Service Information:
		Service Name:		krbtgt/%DomainName%

	Network Information:
		Client Address:		::1
		Client Port:		0

	Additional Information:
		Ticket Options:		0x40810010
		Failure Code:		0x18
		Pre-Authentication Type:	2

	Certificate Information:
		Certificate Issuer Name:		
		Certificate Serial Number: 	
		Certificate Thumbprint:		


Source: Microsoft Windows security
Event ID: 4625
	An account failed to log on.

	Subject:
		Security ID:		NULL SID
		Account Name:		-
		Account Domain:		-
		Logon ID:		0x0

	Logon Type:			3

	Account For Which Logon Failed:
		Security ID:		NULL SID
		Account Name:		Administrator
		Account Domain:		%DomainName%

	Failure Information:
		Failure Reason:		Unknown user name or bad password.
		Status:			0xC000006D
		Sub Status:		0xC000006A

	Process Information:
		Caller Process ID:	0x0
		Caller Process Name:	-

	Network Information:
		Workstation Name:	%ServerName%
		Source Network Address:	%ServerIP%
		Source Port:		20539

	Detailed Authentication Information:
		Logon Process:		NtLmSsp 
		Authentication Package:	NTLM
		Transited Services:	-
		Package Name (NTLM only):	-
		Key Length:		0
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 42,511 Reputation points
    2023-09-02T18:25:04.2233333+00:00

    HI,

    Can you check if any services are configured to use the DA account ? I will suggest you to create a new account as a backup.

    Check if there are any scheduled tasks such as backups, AV scanning or any tasks that is triggered by the activity and using this account. Process of elimination is required so consider all the options on the AD Domain Controller, do you have any clients that might be using this accuont? Disable any schedule tasks to start with.

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.