7,023 questions
Something here may help.
http://woshub.com/troubleshooting-identify-source-of-active-directory-account-lockouts/
--please don't forget to Accept as answer if the reply is helpful--
Domain Admin password failures after password change
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 73%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Craig Tompkins
26
Reputation points
We had an IT member leave who knew the Domain Administrator password so we changed it. Since then all of our domain controllers are reporting login failures all day long (thousands a day). The source is the domain controllers themselves (at least I assume it is as the Client Address is listed as ::1 or 127.0.0.1) and the eventID is 4771 with failure code of 0x18 "Pre-authentication information was invalid" which I believe means bad password. I'm trying to figure out where on the domain controllers this account might be trying to log in. We are not having any performance or visible issues.
I've verified no services are running as this account and there are no scheduled tasks running as this account. Yes, I have rebooted all the servers.
When I look at the event details it shows a processID of 664. Task Manager details shows PID 664 as lsass.exe. If I then look at task manager services, I see PID 664 as the following:
I did check Credential Manager and there are "No Windows credentials."
I'm stuck on how to move forward from here. I hope someone might have seen this type of behavior before and can point me in the right direction before I break down and open a ticket.
The DCs are Windows Server 2019 if that matters.
Thanks for any and all suggestions.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
20,212 questions
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-02-24T02:06:27.443+00:00 Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.Best Regards,
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 67%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
AJ Vanderby 0 Reputation points2024-11-13T17:51:32.55+00:00 Hello Craig. I am experiencing this exact issue currently. Did you ever find a resolution to the issue?
Sign in to comment
6 answers
Sort by: Most helpful
-
Anonymous
2021-02-19T13:11:24.053+00:00 -
Craig Tompkins 26 Reputation points
2021-02-19T14:54:08.237+00:00 Thanks but I have seen that article. The account is the domain admin account itself, so it does not get locked out and I've already gotten it narrowed down further than that article can take me.
-
Anonymous
2021-02-19T14:58:22.257+00:00 Might work through this one.
https://theposhwolf.com/howtos/Get-ADUserBadPasswords/--please don't forget to
Accept as answerif the reply is helpful-- -
Craig Tompkins 26 Reputation points
2021-02-19T18:18:34.68+00:00 I'm sorry but that does not provide any more details than I already have.
-
Anonymous
2021-02-19T19:17:20.943+00:00 You can also start a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness--please don't forget to
Accept as answerif the reply is helpful--