Sign in with
Sign up | Sign in
Your question

NT domain admin account locks out

Last response: in Windows 2000/NT
Share
Anonymous
July 30, 2004 6:02:54 PM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

I've discovered that everytime my Help Desk adds a new
computer to the domain from the computer the domain admin
account gets locked out by that machine. The Help Desk
are not attempting to use the domain admin account. They
have adequate rights to do this with their own accounts.
Any ideas what could be calling the domain admin account?
Anonymous
July 31, 2004 1:39:54 AM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

What are you referring to at the "domain admin account"? Is the domain's
builtin Administrator account (e.g. mydomain\administrator)? I'll assume
this is the case. If that's not the case, please post a bit more detail.

AFAIK, it is impossible to lock out the builtin Administrator account.
The best you can do is apply a security patch (can't remember the name)
that allow the Administrator account to be locked out for network
access. Even when this patch is in place and the Administrator account
has been locked out for network access, you can still use the
Administrator account to log on locally (interactively).

Can't say that I've ever seen it done, but you might end up locking the
domain's builtin administrator account, if.....

1) you have the security patch in place

2) AND the techs are logging onto the remote member with it's local
Administrator account

3) AND the techs or some process on the remote member is attempting to
access a resource on one of your domain controllers

4) AND the password for the member's Administrator account doesn't match
the password for the domain's Administrator account,

This is based on the way NT handles account authentication and an
educated guess on my part. If an NT box (e.g. a domain controller)
doesn't recognize and trust the authenticating agent associated with the
account, in a set of passed credentials, it will attempt to authenticate
the account against it's own local SAM. You'll find a little more on
this at http://www.unknownegg.org/tech/NT-ConnectionAuthenticat...
and there used to be an MS KB article, though it may have been trashed
in favor of SW2k/W2k3 based articles.

For example, let's assume

domain name MyDom
MyDom\Administrator password: dom-pwd
MyDom domain controller: DC1
remote member: MyPC
MyPC Administrator password: pc-pwd

If the techs are logged onto MyPC as mypc\administrator and attempt to
access a network resource on DC1, MyPC will pass mypc\administrator and
pc-pwd (through a secure mechanism, of course). DC1 doesn't recognize
MyPC as a trusted authenticating agent (members trust the domain, the
domain does not trust members). So it attempts to authenticate the
account against it's local SAM (the local SAM of a DC is the domain's
SAM). DC1 finds a matching account name 'Administrator' and attempts to
use that. Since the password for mypc\administrator doesn't match the
password for mydom\administrator, the attempt fails and, I believe, is
recorded as a failed attempt to with mydom\administrator.


If you haven't already done so, you might want to enable auditing for
Logon/Logoff, at least for failures. Once auditing is enabled, the
security log should provide events to help track the problem.


On Fri, 30 Jul 2004 14:02:54 -0700, "Maury" <mblair@hgds.com> wrote:

>I've discovered that everytime my Help Desk adds a new
>computer to the domain from the computer the domain admin
>account gets locked out by that machine. The Help Desk
>are not attempting to use the domain admin account. They
>have adequate rights to do this with their own accounts.
>Any ideas what could be calling the domain admin account?

--
Note, I seldom respond to email questions. Please keep discussions in
the news group, so everyone can benefit from them (including me <g>).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
John R Buchan ........................ jrb-tech(at)unknownegg(dot)org
!