Hey everyone! I'm having a bit of a nightmare with some old domain admin credentials. We changed our domain admin password last week, and now our ADAudit is showing that one of our domain controllers is repeatedly attempting to use the old password. It's reporting a "Login failure for User 'Administrator' in 'DomainController.mydomain.local'. Reason: 'Bad password'." The details indicate there's a Kerberos Pre-Authentication failure with event number 4771 and failure code 0x18.
Here's what I've tried so far:
- The caller process is svchost.exe.
- I checked all services and scheduled tasks for any lingering uses of the old credentials.
- I've disconnected and reconnected all mapped drives.
- Made sure no GPOs are trying to apply with the old password.
- Cleared the credential manager.
- I've looked for any startup/logon scripts, but can't find any.
- Even did a klist purge and ran a process monitor for logon failures.
- Everything looks good on AD replication, and I have rebooted the system.
I'm at a total loss here, any ideas? Thanks!
4 Answers
Have you checked if your server is also acting as a DHCP server? If so, head over to the IPv4 properties, go to Advanced, and check Credentials there. That might be the cause of the ongoing issues.
Also, have you correlated the times of the service starts and stops in your system log? It could help to identify if a specific service is triggering those login failures around the same time.
Just a thought, is there any system where the domain administrator account might still be logged in, potentially in a console session? It might be hitting the DC that’s logging the failed attempts. Don't forget to check your Hyper-V hosts!
I bet it's some backup or replication software, like Veeam or Veritas, that's trying to access a share with the old credentials. If you haven't yet, restarting all your domain controllers can help flush out stale credentials from the KDC.
I did check that area, and it was something I missed! So far, it seems to be helping, but I'm still keeping an eye on it just in case.