NT domain admin account locks out

Archived from groups: microsoft.public.windowsnt.domain (More info?)

I've discovered that everytime my Help Desk adds a new
computer to the domain from the computer the domain admin
account gets locked out by that machine. The Help Desk
are not attempting to use the domain admin account. They
have adequate rights to do this with their own accounts.
Any ideas what could be calling the domain admin account?
1 answer Last reply
More about domain admin account locks
  1. Archived from groups: microsoft.public.windowsnt.domain (More info?)

    What are you referring to at the "domain admin account"? Is the domain's
    builtin Administrator account (e.g. mydomain\administrator)? I'll assume
    this is the case. If that's not the case, please post a bit more detail.

    AFAIK, it is impossible to lock out the builtin Administrator account.
    The best you can do is apply a security patch (can't remember the name)
    that allow the Administrator account to be locked out for network
    access. Even when this patch is in place and the Administrator account
    has been locked out for network access, you can still use the
    Administrator account to log on locally (interactively).

    Can't say that I've ever seen it done, but you might end up locking the
    domain's builtin administrator account, if.....

    1) you have the security patch in place

    2) AND the techs are logging onto the remote member with it's local
    Administrator account

    3) AND the techs or some process on the remote member is attempting to
    access a resource on one of your domain controllers

    4) AND the password for the member's Administrator account doesn't match
    the password for the domain's Administrator account,

    This is based on the way NT handles account authentication and an
    educated guess on my part. If an NT box (e.g. a domain controller)
    doesn't recognize and trust the authenticating agent associated with the
    account, in a set of passed credentials, it will attempt to authenticate
    the account against it's own local SAM. You'll find a little more on
    this at http://www.unknownegg.org/tech/NT-ConnectionAuthentication.htm
    and there used to be an MS KB article, though it may have been trashed
    in favor of SW2k/W2k3 based articles.

    For example, let's assume

    domain name MyDom
    MyDom\Administrator password: dom-pwd
    MyDom domain controller: DC1
    remote member: MyPC
    MyPC Administrator password: pc-pwd

    If the techs are logged onto MyPC as mypc\administrator and attempt to
    access a network resource on DC1, MyPC will pass mypc\administrator and
    pc-pwd (through a secure mechanism, of course). DC1 doesn't recognize
    MyPC as a trusted authenticating agent (members trust the domain, the
    domain does not trust members). So it attempts to authenticate the
    account against it's local SAM (the local SAM of a DC is the domain's
    SAM). DC1 finds a matching account name 'Administrator' and attempts to
    use that. Since the password for mypc\administrator doesn't match the
    password for mydom\administrator, the attempt fails and, I believe, is
    recorded as a failed attempt to with mydom\administrator.


    If you haven't already done so, you might want to enable auditing for
    Logon/Logoff, at least for failures. Once auditing is enabled, the
    security log should provide events to help track the problem.


    On Fri, 30 Jul 2004 14:02:54 -0700, "Maury" <mblair@hgds.com> wrote:

    >I've discovered that everytime my Help Desk adds a new
    >computer to the domain from the computer the domain admin
    >account gets locked out by that machine. The Help Desk
    >are not attempting to use the domain admin account. They
    >have adequate rights to do this with their own accounts.
    >Any ideas what could be calling the domain admin account?

    --
    Note, I seldom respond to email questions. Please keep discussions in
    the news group, so everyone can benefit from them (including me <g>).
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    John R Buchan ........................ jrb-tech(at)unknownegg(dot)org
Ask a new question

Read More

Domain Computers Help Desk Windows