Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 127
  • Last Modified:

Windows 2008 SBS admin account lockout and audit.

I've just started to take control of a small network with Windows 2008 SBS and have faced occasions that the administrator account is locked due to too many login attempts, is there a easy way to audit this behavior and find out who is locking it up? I have looked at the event log for event ids related to account lockout and no luck, could not find much in there. Maybe someone here knows a simpler way to investigate. Thank you.
0
jdff
Asked:
jdff
1 Solution
 
awawadaCommented:
Have you enabled all the audits?

Audit account logon events:

https://technet.microsoft.com/en-us/library/cc976367.aspx

Audit logon events:

https://technet.microsoft.com/en-us/library/cc976395.aspx
0
 
Larry Struckmeyer MVPCommented:
If you haven't already, create another Admin level account to use for the times that the primary account is locked.
0
 
jdffAuthor Commented:
Hi Larry,
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
btanExec ConsultantCommented:
Netwrix Account Lockout Examiner (free) is a freeware tool that alerts you to account lockouts in real time and helps you quickly troubleshoot and resolve them. It can send email notifications on account lockouts in the managed domains to specified recipients. However, the free version does not have the Role-based security for delegated help desk operator access and Help-Desk Portal for web access. These are in an Enterprise edition if the freeware prove worthy for consideration after trying it out.
https://www.netwrix.com/account_lockout_examiner_editions.html

You may want to try out the freeware as a start for the examination. For the details, it is best to look at the guides.
When you launch examination, Netwrix Account Lockout Examiner performs the
following six examination tasks:
 Examination of COM objects
 Examination of Windows services
 Examination of scheduled tasks
 Examination of logon sessions
 Examination of drive mappings
 Examination of invalid logons
User guide -
https://www.netwrix.com/download/QuickStart/Netwrix_Account_Lockout_Examiner_QuickStart_Guide.pdf

Admin guide -
https://www.netwrix.com/download/documents/Netwrix_Account_Lockout_Examiner_Administrator_Guide.pdf
0
 
Larry Struckmeyer MVPCommented:
One reason this could be happening is if port 3389 is forwarded to the IP of the SBS and someone is using such as TSgrinder to brute force connect.
0
 
jdffAuthor Commented:
Looks like this will do the job, I will update this post once confirmed.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now