RE: [ActiveDir] root admin account able to be locked out?
Title: root admin account able to be locked out? Jorge (and joe), Thanks for your reply on this issue! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, July 18, 2006 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] root admin account able to be locked out? My experience with this is the default ADMINISTRATOR can be locked out (wait before shouting!) what I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked you will even see and event ID 644 mentioning the account lockout HOWEVER here it comes... while the default ADMINISTRATOR is locked, it will unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period) jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 2006-07-18 20:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn’t lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes
RE: [ActiveDir] root admin account able to be locked out?
That has been my experience as well. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, July 18, 2006 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] root admin account able to be locked out? My experience with this is the default ADMINISTRATOR can be locked out (wait before shouting!) what I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked you will even see and event ID 644 mentioning the account lockout HOWEVER here it comes... while the default ADMINISTRATOR is locked, it will unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period) jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : _ From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 2006-07-18 20:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn't lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes <>
RE: [ActiveDir] root admin account able to be locked out?
My experience with this is the default ADMINISTRATOR can be locked out (wait before shouting!) what I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked you will even see and event ID 644 mentioning the account lockout HOWEVER here it comes... while the default ADMINISTRATOR is locked, it will unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period) jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 2006-07-18 20:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn't lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
Re: [ActiveDir] root admin account able to be locked out?
Well, I've seen in our AD when it was W2K, the administrator account was showing as locked in dsa.msc if you try too may incorrect auth attempts. But I was still able to logon with it as expected. I didnt check to see if any events were logged to indicate that it was. I cannot repro your setup as my lab is busy doing other work. Someone else might have something more sensible to add here. M@ On 7/18/06, Thommes, Michael M. <[EMAIL PROTECTED]> wrote: Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn't lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] root admin account able to be locked out?
Title: root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn’t lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes
