# Solved: Account constantly locked out



## inthecloset

Server 2003, XP and W7 desktops. I'm an admin on the network. My account has administrative access. Some time ago I changed my password, and began experiencing occasional lockouts. The event viewer indicated that it was a matter of failed logon attempts. Recently I changed it back, because I couldn't figure out the source of the problem. Since changing it back to the original, I'm having a constant lockout problem. I can see, looking at the Event Viewer, that it locks out every 1/2 hour, with two events: first a 1058, then a 1030. So evidently, as soon as the 1/2 hour lockout ends something is trying to logon with the wrong password. This follows through 24/7. 

In order for me to access my account I have to logon with another administrative account, unlock mine and then immediately log off & quickly logon with my account, before it's locked out again. This is driving me bonkers. Nothing I've found online has helped. I've turned on auditing (see attachment) but I don't see it showing up in the Event Viewer. I'm guessing it's because it's local auditing, but I can't see where else to turn it on.

I'm thinking this isn't hacking, because of the combination of the timing, since it began with the password change and then worsened with another change, and the 24/7 persistence. I'm thinking maybe some service is logging on with my account credentials? At any rate, I'm very frustrated. Any help is appreciated.


----------



## inthecloset

I also turned it on here, in Group Policy Object Editor.


----------



## TheOutcaste

You need to set the Audit policy using the *Domain Controller Security Policy* tool, or the auditing will only appear on the machine the attempt is coming from.


----------



## srhoades

Is your server viewable to the outside world via the standard RDP port of 3389? My guess is it's just people trying to crack your server.


----------



## inthecloset

I finally did get it resolved. I thought the auditing was not being applied to the right place, but I couldn't find the right place for a while. Auditing shouldn't be so hard to manage.

I turned it on and used NetWrix to find that I had been logged onto a server in a separate location, same domain, with the old password. I logged off that station and the problem was resolved. OutCaste, your advice got to the heart of my problem. Thanks.


----------

