Domain admin account lockouts from domain pcs

v0id

New Member
Hello,
we are facing an issue where the domain admin accounts are becoming locked randomly.
We have filtered out the event 4740 in the windows security log and we can see the PCs triggering this lockdown.
-------------------------------------
A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: DC02$
Account Domain: CONTOSO
Logon ID: 0x3E7

Account That Was Locked Out:
Security ID: Contoso\administrator
Account Name: Administrator

Additional Information:
Caller Computer Name: NB-1234
--------------------------------

We immediately disconnected the PCs in question and scanned them with several bootable antivirus USBS, but we found no infections.
We then formatted those PCs, and right after joining them to the domain again , the lockouts started again. this is where i started running out of ideas.
We installed wireshark on those PCs, and filtered kerberos packets (tcp/udp 88) and also SMB but didnt find anything out of the ordinary.
We have already checked for cached credentials , rdp sessions and a bunch of other solutions we found from the internet but nothing worked. The fact that freshly formatted PCs continued with the same behavior is driving is crazy. Antivirus cannot find any malware/trojan/rootkit everything is clean.

id like to hear your opinion/suggestions on how to proceed with this .
 
Back
Top