Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 141
  • Last Modified:

Windows 2008 SBS admin account lockout and audit.

I've just started to take control of a small network with Windows 2008 SBS and have faced occasions that the administrator account is locked due to too many login attempts, is there a easy way to audit this behavior and find out who is locking it up? I have looked at the event log for event ids related to account lockout and no luck, could not find much in there. Maybe someone here knows a simpler way to investigate. Thank you.
0
jdff
Asked:
jdff
1 Solution
 
awawadaCommented:
Have you enabled all the audits?

Audit account logon events:

https://technet.microsoft.com/en-us/library/cc976367.aspx

Audit logon events:

https://technet.microsoft.com/en-us/library/cc976395.aspx
0
 
Larry Struckmeyer MVPCommented:
If you haven't already, create another Admin level account to use for the times that the primary account is locked.
0
 
jdffAuthor Commented:
Hi Larry,
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
btanExec ConsultantCommented:
Netwrix Account Lockout Examiner (free) is a freeware tool that alerts you to account lockouts in real time and helps you quickly troubleshoot and resolve them. It can send email notifications on account lockouts in the managed domains to specified recipients. However, the free version does not have the Role-based security for delegated help desk operator access and Help-Desk Portal for web access. These are in an Enterprise edition if the freeware prove worthy for consideration after trying it out.
https://www.netwrix.com/account_lockout_examiner_editions.html

You may want to try out the freeware as a start for the examination. For the details, it is best to look at the guides.
When you launch examination, Netwrix Account Lockout Examiner performs the
following six examination tasks:
 Examination of COM objects
 Examination of Windows services
 Examination of scheduled tasks
 Examination of logon sessions
 Examination of drive mappings
 Examination of invalid logons
User guide -
https://www.netwrix.com/download/QuickStart/Netwrix_Account_Lockout_Examiner_QuickStart_Guide.pdf

Admin guide -
https://www.netwrix.com/download/documents/Netwrix_Account_Lockout_Examiner_Administrator_Guide.pdf
0
 
Larry Struckmeyer MVPCommented:
One reason this could be happening is if port 3389 is forwarded to the IP of the SBS and someone is using such as TSgrinder to brute force connect.
0
 
jdffAuthor Commented:
Looks like this will do the job, I will update this post once confirmed.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now