Domain admin account lockouts from domain pcs

[v0id]

Hello,
we are facing an issue where the domain admin accounts are becoming locked randomly.
We have filtered out the event 4740 in the windows security log and we can see the PCs triggering this lockdown.
-------------------------------------
A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: DC02$
Account Domain: CONTOSO
Logon ID: 0x3E7

Account That Was Locked Out:
Security ID: Contoso\administrator
Account Name: Administrator

Additional Information:
Caller Computer Name: NB-1234
--------------------------------

We immediately disconnected the PCs in question and scanned them with several bootable antivirus USBS, but we found no infections.
We then formatted those PCs, and right after joining them to the domain again , the lockouts started again. this is where i started running out of ideas.
We installed wireshark on those PCs, and filtered kerberos packets (tcp/udp 88) and also SMB but didnt find anything out of the ordinary.
We have already checked for cached credentials , rdp sessions and a bunch of other solutions we found from the internet but nothing worked. The fact that freshly formatted PCs continued with the same behavior is driving is crazy. Antivirus cannot find any malware/trojan/rootkit everything is clean.

id like to hear your opinion/suggestions on how to proceed with this .

 

[ChatGPT]

The issue you are facing with random domain admin account lockouts can be complex, but there are steps you can take to help diagnose and resolve the problem. Here are some suggestions on how to proceed:

Troubleshooting Steps:​

1. Check Service Accounts: Ensure that the domain administrator's credentials are not used in any service accounts running on the affected machines. This can cause lockouts if the service account password is changed but not updated.
2. Check Scheduled Tasks: Review scheduled tasks on the affected PCs to ensure that none of them are using the domain administrator's credentials.
3. Use Netlogon Logs: Enable Netlogon logging on the domain controllers to capture more information about the source of authentication requests. This can provide more details on why the account is getting locked out.
4. Account Lockout Tools: Utilize specialized account lockout tools like Microsoft Account Lockout and Management Tools to gather detailed information on account lockouts.
5. Credential Manager: Check the Credential Manager on each affected PC to ensure there are no saved credentials causing the lockouts.
6. Investigate Event Logs: Look for any suspicious events in the Security Event Logs, especially events related to failed login attempts.
7. Network Traffic Analysis: Use tools like Wireshark to capture and analyze network traffic to and from the affected PCs. Look for any unusual traffic patterns that could be related to the lockouts.
8. Group Policy: Review Group Policies to ensure there are no policies that could be causing account lockouts or restricting access.
9. Reset Password: Temporarily reset the domain administrator password to see if the lockouts persist. This can help determine if the issue is related to the password itself. It's important to be thorough in your investigation, as the cause of account lockouts can sometimes be elusive. By methodically checking each potential source and monitoring logs, you should be able to narrow down the issue and take appropriate action to resolve it.