asked
Domain account getthing locked
Hi, For some reason, my windows domain account keeps getting locked. I have checked the event viewer and found that the sqlserv.exe is attempting to connect with my account. but i have checked all the sql server agent jobs and the services none of them are linked to my domain account. i am not sure what is causing this. It gets locked out in the odd timings where there when there is no backup or anything kind of activity happening at my end.
the process name is definitely `sqlserv.exe`? See:
http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=WORM_SDBOT.BZO SQLServer processes are normally SQLServr.exe - at least the 2005, 2008 & 2012 instances I'm running here are... ;)
If I ask myself when could be my windows account is locked, it should be when I try to supply the username and password. So the few possibilities could 1. The credentials are used on OS level. 2. On SQL Server, whenever the credentials are supplied manually. By default it is a tokenized process which is handled by the Windows, no password is supplied. Now, at the OS level, I am assuming that you have make sure that no where your password is saved OR no one/ application is using your user name and password. At SQL Server level, I can think of only 3 scenarios when the credentials are supplied (there could be more) 1. Whenever you try to use SSMS with RUN AS option 2. A proxy account 3. xp_cmdshell proxy account (which is the same as above) For the first one, you can track down at OS level. For rest of the two, following script should help you out USE msdb ; GO SELECT * FROM sys.credentials GO EXEC dbo.sp_help_proxy ; If you found your username in the output, you may have find the root cause. But also make sure nothing is happening at the OS level. This could be dangerous if someone is trying to use your username.
Sorry for no response. I got stuck into an urgent matter. But seems like you have already sort it out :)
Well that depends. If you do not want to have that credential, then you can DROP it. But that I would not recommend, until you find out whether it is used somewhere or not. Another way of doing it is to ALTER the credential with your new password. But if you have not taken any step yet, then how the account locking stopped? Or is it still the same?
Can you profile the SQL Server to see if you can capture what is causing your account to be locked out? Just a thought...
You might also try the default trace (if enabled). If the account is getting locked out, that should mean it is probably still trying after the lockout so you should see failed login events show up for your account.
Are you leaving SSMS open? Do you have ongoing connections to SQL Server? Do you leave query windows open overnight? What is it trying to connect to that causes the lockouts? I don't have the answer at hand but understanding the surrounding circumstances may help us troubleshoot further.
7 People are following this question.
