<div>
Have you enabled all the audits?<br />
<br />
<b>Audit account logon events:</b><br />
<br />
<a href="https://technet.microsoft.com/en-us/library/cc976367.aspx" rel="ugc">https://technet.microsoft.com/en-us/library/cc976367.aspx</a><br />
<br />
<b>Audit logon events:</b><br />
<br />
<a href="https://technet.microsoft.com/en-us/library/cc976395.aspx" rel="ugc">https://technet.microsoft.com/en-us/library/cc976395.aspx</a>
</div>


Have you enabled all the audits?

Audit account logon events:

https://technet.microsoft.com/en-us/library/cc976367.aspx [https://technet.microsoft.com/en-us/library/cc976367.aspx]

Audit logon events:

https://technet.microsoft.com/en-us/library/cc976395.aspx [https://technet.microsoft.com/en-us/library/cc976395.aspx]

<div>
If you haven't already, create another Admin level account to use for the times that the primary account is locked.
</div>


If you haven't already, create another Admin level account to use for the times that the primary account is locked.

<div>
Hi Larry,<br />
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.
</div>


Hi Larry,
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.

<div>
One reason this could be happening is if port 3389 is forwarded to the IP of the SBS and someone is using such as TSgrinder to brute force connect.
</div>


One reason this could be happening is if port 3389 is forwarded to the IP of the SBS and someone is using such as TSgrinder to brute force connect.

<div>
Looks like this will do the job, I will update this post once confirmed.
</div>


Looks like this will do the job, I will update this post once confirmed.

<div>
<div class="content wysiwyg-content">
I've just started to take control of a small network with Windows 2008 SBS and have faced occasions that the administrator account is locked due to too many login attempts, is there a easy way to audit this behavior and find out who is locking it up? I have looked at the event log for event ids related to account lockout and no luck, could not find much in there. Maybe someone here knows a simpler way to investigate. Thank you.
</div>
</div>


I've just started to take control of a small network with Windows 2008 SBS and have faced occasions that the administrator account is locked due to too many login attempts, is there a easy way to audit this behavior and find out who is locking it up? I have looked at the event log for event ids related to account lockout and no luck, could not find much in there. Maybe someone here knows a simpler way to investigate. Thank you.

Windows 2008 SBS admin account lockout and audit.

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.