Local Admin Account locks out the Domain Admin Account

Giganews Newsgroups
Subject: Local Admin Account locks out the Domain Admin Account
Posted by:  Tim Trabold (TimTrabo…@discussions.microsoft.com)
Date: Thu, 2 Mar 2006

We have an unusual situation.  We have set up some stand alone servers and
renamed the local admin account - (it was Administrator).  We gave the local
account the same name as a domain admin account, but it has a different
password.

If we are logged onto a server locally using the local admin name and
password we have problems when browsing the domain.  Any time we try to
browse to the domain and look at a folder on the DC, a GP tries to apply and
it locks the domain admin account (same name, but different password) and we
get a message saying the domain account is locked out.  If we make the
passwords the same, this doesn't happen and it asks us to enter domain
credentials.  If we turn off all group policies, it will ask for credentials
regardless of the password.

Our questions are these:  Why is the domain treating a local account as a
domain account?  Why does it not see the local account, even though the name
is the same, as a different account since it is not a domain account?  Why is
group policy trying to use the local credentials as domain credentials and
not first asking for domain credentials?

Here is another caveat.  The above happens in our test lab.  In our
production environment, we have servers with the local admin account the same
as a domain admin account of the same name.  They have different passwords,
we do push down some GPs and it always asks for credentials when we browse
from a locally logged on server to the domain.  It doesn't lock it out.

Any ideas?  Which action is correct?  If one way is wrong why?  How do we
fix it?

Thanks.
Tim Trabold

Replies