I'm facing an issue with a Domain Admin account that gets locked out consistently every two hours. I've noticed event 4740 is logged at midnight, 2:00 AM, 4:00 AM, and this continues until 10:00 PM, along with multiple 4625 events occurring simultaneously. This has been a problem since around March, but I've been looking into it more seriously since April. I found a useful troubleshooting guide, but I'm still struggling to pinpoint the cause of the lockouts.
From my investigation, the source of the problem appears to be one of our domain controllers (DC1 or DC2), both of which seem to be synced. The process mentioned is lsass.exe, which hasn't led me to a solution either.
I've checked for any relevant passwords stored under either Credentials Manager on DC1 but couldn't find anything suspicious, plus, I deleted a task I found in PowerShell, yet the lockouts persist.
Also, the Domain Admin account doesn't even have an associated email, which makes me think it's not an Outlook setting causing the issue. I've ensured the user isn't logged on to either DC or any other servers—a crucial detail since the consistently timed lockouts suggest a scheduled task or some automated job might be at play. But after listing all scheduled tasks, nothing stands out.
As a last resort, a colleague suggested that we could delete and recreate the AD account, although I'm apprehensive about the resulting duplicate Windows profiles on client machines, along with other potential repercussions. Would there be a better way to fix this?
4 Answers
I’d recommend downloading the Netwrix Account Lockout Examiner. It's a free tool that helps you figure out what's causing lockouts and provides better visibility into the whole process. It might give you the insights you need to pin down the issue without having to recreate accounts.
Yeah, these tools can be lifesavers. Just double-check the events around the times it locks out; you might see a pattern.
Regarding recreating the user account, if you do it, be aware that the new profile will be created with the same username but appended with a number. Just be ready to manually migrate any data from the old profile to the new one, as they'll essentially be treated as separate accounts in Windows.
Yes, handling profiles can be tricky! Avoid it if you can—moving data over just adds more work and complexity.
Agreed! If you're not certain about fully switching accounts, consider other avenues before taking that step.
Have you thought about the lockout duration? If it's set to 2 hours, that could explain why it keeps happening right after unlocking. If external access is at play, like OWA or Exchange services, those common vectors could be subject to brute force attacks, especially if they're exposed to the internet.
That’s a great point! Make sure your public-facing services are secure; otherwise, you might continue facing these lockouts.
Definitely check those logs too. It's surprising how often those types of issues slip through the cracks.
It definitely sounds like a scheduled task is causing this lockout issue. Have you checked all the tasks across your servers? That could lead you to the culprit. If you have a tool for capturing packets, running it right when the lockout happens could help identify which machine is making the authorization requests. You might find the source IP for those failed logon attempts, which could be the key to solving this.
Just ensure you are looking at the right machines. The logs should give you some hints on where the authentication requests are coming from.
For sure, scheduled tasks are a common source of these issues. Focus on the ones related to automation or any scripts that could be running under the Domain Admin account—those are often the trickiest to find.
That sounds like a solid plan! Definitely worth a shot before making any drastic changes.