Admin Account Keeps Getting Locked Out

Ever since I changed the admin password on my work domain, the admin account keeps getting locked out in the morning when users start logging on to their computers. I am not sure why a user logging on to their PC would try to use the admin account, but I keep getting Event 675 with failure code 0x18. After a few of these failed logons, the account is locked out. The User ID in the error is the domain admin and the Client Address is the IP address of a user's computer.

After everyone is logged on in the morning, the admin account no longer gets locked out--it only happens during the time everyone logs in. I have not seen a pattern as to specific computers causing the lockout (so I do not suspect an attempted security breach).

Any idea on why this is happening and how I may fix it?


Solution 1:

It sounds like a service or a mapped drive is using the admin account with the old password. The error log should show the IP or name of the computer that has the issue.

Solution 2:

First, i would suggest that you take a look in the event log for event code 4740, it should have the computer name or IP that caused the lock.
If the lock caused by random computers, then check them for a stored credentials in the services, or scheduled tasks, or any other application that the password stored inside it.
Or somewhere in a login script and you forget about it.

Solution 3:

You will be able to see the events in the Event Viewer why your account is being locked out. It is Event ID 644. Make sure that your Security Audit is set to Success/Failure though to see these errors inside the DC's event log.

Additional, Event ID 529 which is a failed logon attempt should list everywhere that has the wrong credentials saved.