Hey everyone,
I'm having a frustrating issue with a Domain Admin account that's getting locked out exactly every two hours. It logs an Event 4740 at midnight, 2:00 AM, 4:00 AM, and so on throughout the day, and I also see multiple Event 4625 entries around the same times.
This started back in March, and I've been trying to troubleshoot since April. I found a helpful guide about Active Directory account troubleshooting, which gave me some insights, but I'm still at a loss.
The logs show that the source of the issue might be from DC1 and DC2, which are both synchronized. The process triggering the lockout seems to be lsass.exe. Here are a few things I've checked:
- Credentials Manager doesn't show any relevant passwords that could cause this lockout, and I even cleared it out on both domain controllers but the issue persists.
- The offending Domain Admin account has no associated email, while there is a non-admin account with an email that seems to work fine. I wonder if this is relevant.
- I've ensured that the user is logged out of both DCs and other servers, which makes me think it might be a scheduled task.
- I checked for scheduled tasks on both DCs with PowerShell, but I couldn't find any. After deleting the one task that was running, the lockout occurred again after 2 hours.
- I looked through the Netlogon logs, but I'm not really adept at reading them. I noticed mentions of cached credentials for mapped drives, but I think they're saved in Credentials Manager too.
As a last resort, the user suggested we could delete and recreate their AD account, but I'm hesitant because of potential duplicate profiles on client machines (like username and username.domain). Is there a safer method to troubleshoot this? I appreciate any guidance!
5 Answers
It sounds like someone has set up a scheduled task that runs every 2 hours on a server. You should have a look at any scheduled tasks they configured, as that's likely where the problem lies. Get that fixed, and it could resolve your lockout issue!
Absolutely, that sounds exactly like what might be happening here.
Regarding the potential account deletion, be aware that if you delete and recreate the AD account, Windows will create a new profile unless you migrate data from the old profile manually. It'll append a number to the new profile folder if the username matches. Just something to consider before you go through with it!
Yeah, I’d prefer to avoid recreating it if possible.
Check the event logs on the machine from where the authentication requests are coming. That system is probably responsible for the lockouts. You'll want to look into the scheduled tasks on that machine as well!
Right? That’s the first place to start looking.
Given the timing is so regular, it's likely a scheduled task. Do you have any tools to check all scheduled tasks across your network? Running a packet capture when the lockout happens could give you insight into which device is making the auth requests. Also, check your failed logon events; they might not show the source IP, but you might get lucky!
Also, if you didn’t see a 4771 event on your domain controllers, that’s something worth checking out. It relates to Kerberos issues which could be a part of this problem.
Switching to a group managed service account for any scripts could help too!