Hi AD Gurus!
We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn’t lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much!
Mike Thommes
