Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
somethings locking our admin account
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
somethings locking our admin account - 30.Jun.2010 3:41:17 PM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
Since we changed the domain admin password we have been having an issue with the account locking out. i've used all the altools and everything points to exchange. not sure if its another system trying to relay through exchange with the old password or something on the system itself. i'm leaning more toward the system itself because i've done packet captures looking for any thing talking to exchange at the time of the locked account. no luck, all i see if the communication to the domain controler. i've looked at all the services, nothing is using that account, no schedule task... at a loss here.
|
|
|
|
|
RE: somethings locking our admin account - 30.Jun.2010 6:31:59 PM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
event view doesnt show anything around the time of the lockout/badpassword. security shows events but only for the user system.
nothing for the administrator account thats locking.
|
|
|
|
|
RE: somethings locking our admin account - 1.Jul.2010 5:21:44 AM
|
|
|
Exchange_Geek
Posts: 1287
Joined: 31.Dec.2006
Status: offline
|
quote:
i've used all the altools and everything points to exchange
Which tool told you Exchange is causing problems - could you provide the logs of that tool, would help us understand how Exchange as a product is now trying to lock accounts.
Regards,
Exchange_Geek
|
|
|
|
|
RE: somethings locking our admin account - 1.Jul.2010 9:35:12 AM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
i wasnt talking exchange as a product is locking it, i was refering to exchange as in my exchange server or something running on it.
i used the lockoutstatus to figure out what domain control was locking the account. after that i went to that server and did wiresharks to figure out what system was sending a login request. also used the netlogon to verfiy the same results.
07/01 08:24:00 [LOGON] AEROSPACE: SamLogon: Transitive Network logon of (null)\sadministrator from POSTOFFICE (via 1STPDC) Entered
07/01 08:24:00 [LOGON] AEROSPACE: SamLogon: Transitive Network logon of (null)\sadministrator from POSTOFFICE (via 1STPDC) Returns 0xC0000234
07/01 08:24:01 [LOGON] AEROSPACE: SamLogon: Transitive Network logon of (null)\sadministrator from POSTOFFICE (via 1STPDC) Entered
07/01 08:24:01 [LOGON] AEROSPACE: SamLogon: Transitive Network logon of (null)\sadministrator from POSTOFFICE (via 1STPDC) Returns 0xC0000234
07/01 08:24:02 [LOGON] AEROSPACE: SamLogon: Transitive Network logon of (null)\sadministrator from POSTOFFICE (via 1STPDC) Entered
07/01 08:24:02 [LOGON] AEROSPACE: SamLogon: Transitive Network logon of (null)\sadministrator from POSTOFFICE (via 1STPDC) Returns 0xC0000234
i looked up the return code and that show invalid password
< Message edited by blkchevyz -- 1.Jul.2010 9:42:41 AM >
|
|
|
|
|
RE: somethings locking our admin account - 6.Jul.2010 5:02:14 AM
|
|
|
GhostyDog
Posts: 11
Joined: 23.Feb.2009
Status: offline
|
Check the user account(s) that the exchange services run under, if your running them under another account and you change the password then the password will need to be changed in the services snap in.
:)
|
|
|
|
|
RE: somethings locking our admin account - 7.Jul.2010 11:25:43 AM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
nothings set to run under the problem users name.
is there a way to track what systems are trying to send mail through the exchange server? i've tried looking through wire sharks but those get pretty large fast.
|
|
|
|
|
RE: somethings locking our admin account - 8.Jul.2010 1:40:32 AM
|
|
|
bpara
Posts: 212
Joined: 12.Jan.2010
Status: offline
|
Hi,
R u using any firewall.
-bpara
|
|
|
|
|
RE: somethings locking our admin account - 8.Jul.2010 9:03:12 AM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
we have a cisco firewall. but nothing running on that machine.
|
|
|
|
|
RE: somethings locking our admin account - 8.Jul.2010 9:42:21 AM
|
|
|
uemurad
Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
Use your favorite search engine to lookup "lockoutstatus.exe". It's a tool from Microsoft that will tell you whether an account is locked, and when the lockout occurred. You can use the timestamp information to look at the Security Log of the Domain Controller listed and determine the IP address of the machine from which the bad password attempt was made.
That information should point you towards resolving your issue. The most common causes are:
1. You left a machine logged in using the admin account with the old password - you need to log out and log back in (if needed) using the new password
2. You are running a service as the admin account and need to update the password
3. You statically mapped a drive using the admin account and need to update the password
4. You are running a scheduled task as the admin account and need to update the password
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: somethings locking our admin account - 8.Jul.2010 9:59:50 AM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
thats what pointed me to my exchange server.
there are no scheduled tasks, no services running under that account.
i've rebooted the server many times since this started so i think that would rule out the static mapping.
thats what is making me think its something sending mail through exchange.
i came to that with the impression that the server wanting to send mail, talks to exchange, then exchange talks to the domain control to authenticate the username and password.
not sure if thats really how it works though.
|
|
|
|
|
RE: somethings locking our admin account - 8.Jul.2010 10:33:07 AM
|
|
|
uemurad
Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
Sorry - I didn't read through the thread very thoroughly and missed your post about lockoutstatus.
So the Security Log on your DC indicates the password attempt was made from the Exchange server? What does the Security Log on the Exchange server say for that same time?
How often do the bad password attempts happen? Is each incorrect attempt being logged in the Security Log?
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: somethings locking our admin account - 8.Jul.2010 10:42:56 AM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
i'm not seeing anything for that users in the security log on the exhcange server anywhere near that time. the logs just show normal users connections.
the account locks out about every 10 minutes or so, i dont see any entry for it till its locked out. so its like its not logging the bad password attempts except for the last one.
|
|
|
|
|
RE: somethings locking our admin account - 8.Jul.2010 10:48:01 AM
|
|
|
uemurad
Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
Let's think a moment about your suspicion that message flow is causing the lockout. Does your outbound mail flow require authentication to deliver messages to the next hop? Are you sending all messages to a secure smarthost perhaps?
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: somethings locking our admin account - 9.Jul.2010 9:39:11 AM
|
|
|
lbsysadmin
Posts: 40
Joined: 5.Feb.2010
Status: offline
|
Not read the whole post in-depth so apologies if this is way off the mark but just caught the account lockout part of the post.
We had a big problem last year with account lockouts, we got caught by the Conficker virus!!!
Might be worth a check?
Cheers
Daniel
|
|
|
|
|
RE: somethings locking our admin account - 22.Jul.2010 12:52:48 PM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
had alot of other issue taking up my time, now i'm back to this.
the outbound mail just goes from the client system to exchange then out. internal goes through a gateway.
what i'm thinking regarding it being a server sending mail through exchange, i'm think it is a server that relays through exchange and has to authenticate first. what i did try is switching the password back to the old one to see any mail started flowing through but i didnt see anything. the account did stop locking though. so something just has that old password.
i checked for the colficker virus but we seem to be clean.
thanks for the ideas though
|
|
|
|
RE: somethings locking our admin account - 22.Jul.2010 3:38:04 PM
|
|
|
uemurad
Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
How many servers do you allow to relay through Exchange? Do you have an explicit Relay Allowed list configured or is it an open relay (yikes!)? If for some reason one (or more) of those has a statically configured username and password, it is very possible you've discovered the cause.
I'd still expect the Security Log trail would eventually point to the originating server though.
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: somethings locking our admin account - 22.Jul.2010 3:41:34 PM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
no open relay. i did check all the system that i have setup to relay through exchange and i couldnt find anything on them with that account... does exchange allow all system on the local network to relay and not just the ones in the allowed list?
i agree i would think the logs would show it. is there some other kind of logging i can turn on to help with this?
|
|
|
|
|
RE: somethings locking our admin account - 22.Jul.2010 3:57:12 PM
|
|
|
uemurad
Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
Glad to hear you're not an open relay. Do you have the "Allow all computers which successfully authenticate to relay..." box checked or cleared on the Relay Restrictions configuration page?
I believe the appropriate choice of logging level to raise is MSExchangeTransport/Authentication.
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: somethings locking our admin account - 22.Jul.2010 5:06:12 PM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
well i dont have the allow all computers which successfully authenticate to relay... but i looked under grand or deny relay permissions to specific users or group and authenticated users is allowed.
|
|
|
|
|
RE: somethings locking our admin account - 22.Jul.2010 5:30:37 PM
|
|
|
blkchevyz
Posts: 28
Joined: 6.Oct.2006
Status: offline
|
i have msexchagetrasport/authentication was already set to maximum. those would should up in the event view under security correct?
all i see around the time a bad password happens is alot of system logons and a few users. i dont see anything from the problem account.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
