Administrator Account Locked out every 15 minutes

From: Jeff Gipson (MSNG@jeffgipson.net)
Date: 09/20/02 

From: "Jeff Gipson" <MSNG@jeffgipson.net>
Date: Fri, 20 Sep 2002 11:58:56 -0700

We have 2 Active Directory domain controllers (Windows
2000 Server) (native mode). On one of the controllers
(the one running Exchange 2000), every five minutes a
SECURITY event FAILURE AUDIT is produced:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 9/20/2002
Time: 1:27:04 PM
User: NT AUTHORITY\SYSTEM
Computer: TRDI-COMM
Description:
The logon to account: administrator
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: <MYDOMAINCONTROLER>
 failed. The error code was: 3221225578
 
After three of these (15 minutes), the Administrator
account is locked out.

I have really two issues here:

A) What is trying to log in as administrator and is
failing?

B) Why are accounts locking (I forgot to mention that
other domain accounts sporatically get locked out, but not
in regular time intervals)

Background info:

A) No services on either of the servers are configured to
log in as administrator. I see many corresponding SUCCESS
AUDITS for other accounts. The same event log entry seems
to be replicated to the other server's event log, as well.

B) The Local domain policy's security settings are weak.
The PASSWORD POLICY is undefined, and the ACCOUNT LOCKOUT
POLICY is undefined so account lockouts should not occur
(?). When the other accounts get locked out irratically
and sporatically, the account lockout policy is *defined
and enabled* to the defaults... 3 failed attempts / 30
minute lockout, etc. Why does this policy keep coming
back? There are no other group policies in the domain
besides the default domain policy.

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
    (microsoft.public.windows.server.sbs)
  • RE: 529 Logon Failures - 138 Events
    ... Enable complicated password policy is not same as using complicated ... Note: you can find the Default Domain Controllers policy here: ... Configure account lockout policy. ... The account lockout policy only effect on the user account, ...
    (microsoft.public.windows.server.sbs)
  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
    (microsoft.public.windows.server.sbs)
  • RE: Finding Domain Service Running Every 12 Hours
    ... The Audit Policy was already in effect, we use a network log collection tool ... Not Locked - which is what I would expect for a Domain Admin account. ... When the account lockout occurs, we can retrieve both the Security ... event log and the System event log for all of the computers that are ...
    (microsoft.public.windows.server.general)
  • Re: GPO causing client security logs to fill?
    ... Unlink the Default Domain Controller Policy (As it was not previously ... settings to be applied on your client workstations. ... I modified the account ... So basically, the Account lockout threshold, account lockout ...
    (microsoft.public.windows.server.sbs)