RE: [ActiveDir] root admin account able to be locked out?

[Thommes, Michael M.]

Title: root admin account able to be locked out?

Jorge (and joe),     Thanks for your reply on this issue!   Mike Thommes   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, July 18, 2006 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] root admin account able to be locked out?   My experience with this is....   the default ADMINISTRATOR can be locked out (wait before shouting!) what I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked.... you will even see and event ID 644 mentioning the account lockout   HOWEVER.... here it comes...   while the default ADMINISTRATOR is locked, it will unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period)   jorge   Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services   LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (         Tel     : +31-(0)40-29.57.777 (    Mobile     : +31-(0)6-26.26.62.80 *   E-mail      : <see sender address>   From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 2006-07-18 20:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] root admin account able to be locked out? Hi AD Gurus!       We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out.  I was surprised because I thought this account could never get locked out.  In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked.  (We have the standard 30 minute lockout time.)  I think the reason that this happened was that the penetration testing really didn’t lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers).  This is my belief.  My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus.  Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!).  Thanks much! Mike Thommes