Well, I've seen in our AD when it was W2K, the administrator account
was showing as locked in dsa.msc if you try too may incorrect auth
attempts. But I was still able to logon with it as expected. I didnt
check to see if any events were logged to indicate that it was.
I cannot repro your setup as my lab is busy doing other work. Someone
else might have something more sensible to add here.
M@
On 7/18/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote:
Hi AD Gurus!
We have penetration testing going on and I saw a security event log
entry that showed our root admin account getting locked out. I was
surprised because I thought this account could never get locked out. In
addition, we had a scheduled job that runs under the credentials of this
root account that ran successfully a couple of minutes *after* the supposed
account was locked. (We have the standard 30 minute lockout time.) I think
the reason that this happened was that the penetration testing really didn't
lock out the root account but did lockout the local SID 500 account that
exists on all servers (including domain controllers). This is my belief.
My officemate says there is no such account on a DC and that the root
account could have been locked out for a short period of time but then made
active again when AD saw what the account was or that the security log entry
is just bogus. Can someone offer a little insight into this (nope, no
dinners or cash riding on this debate!). Thanks much!
Mike Thommes
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
