Since last Monday the same admin account got locked every night.
Windows Event Messages - --- Event 1 of 1: Log Name: Security Source: Microsoft-Windows-Security-Auditing Logged: 03/09/2019 00:35:58 Event ID: 4740 Level: Audit Success User: Computer: ABCDC1.AD.ABC.COM A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DC201$ Account Domain: AD Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-12345678-12345678-2380821524-12345 Account Name: adm-abc Additional Information: Caller Computer Name: DC101
DC101 is a domain controller in ABC.COM which is the parent domain of AD.ABC.COM. The locked account ad\adm-abc is the admin account in domain AD.ABC.COM. When it was locked, it didn’t logon the server. There was no scheduled job or scripts running with this account. There was no service running with this account either. Bases on the time it got locked, I only found one job in task scheduler runs daily at the time. It’s the Configuration Manager Health Evaluation.
The job runs use SYSTEM account, has nothing to do with ad\adm-abc. It runs c:\Windows\CCM\ccmeval.exe which is the ConfigMgr Client Evaluator.
I confirmed that this job caused issue by manually running the job and saw the account got locked right away. I checked the CcmEval.log and saw it verified/remediated SCCM related services startup type and status. I could not find ad\adm-abc related information. I also knew there was no any related services started with the adm-abc account.
It’s really odd. I could not see any link between this job and the ad\adm-abc account. The job runs on a DC not in the same domain of ad\adm-abc. The jobs runs with the SYSTEM account, not ad\adm-abc. There are many other admin accounts which have not been affected by this job. This account is the daily admin account I use. But I don’t use it for DC101 because it’s in the parent domain.
After I uninstalled the SCCM client and reinstalled it, the problem has been resolved. But I still couldn’t explain why it happened and how the job impact the account. If I have to give a reason, then the only possible reason was that one of the related service some how was started by the account even I could not see it from the settings.
3 months later, I finally found the reason. It actually caused by the saved credential I used to install SCCM client. After I changed the account password, and when the server talked to the SCCM server, the saved account and password was used and caused the account locked.
Please see this article https://www.itreliable.com/wp/ad-account-got-locked-out-because-of-a-hidden-credential/