I am seeing local administrator accounts on member servers getting locked out.
The security logs show other member servers are attempting to log on using their local administrator credentials. The issue, I assume, is a different password for the local administrator between these member servers (a good idea in my book - however, causing me considerable frustration).
Server-A and Server-B are member servers, joined to a domain, not DC's themselves.
Server-A: failed logon attempt from Server-B\Administrator
Server-A\administrator account gets locked out.
The question is: how can I monitor these systems to see which process on Server-B is trying to authenticate to Server-A using Server-B\administrator?