?
Solved

Windows 2008 SBS admin account lockout and audit.

Posted on 2016-09-09
6
Medium Priority
?
102 Views
Last Modified: 2016-09-13
I've just started to take control of a small network with Windows 2008 SBS and have faced occasions that the administrator account is locked due to too many login attempts, is there a easy way to audit this behavior and find out who is locking it up? I have looked at the event log for event ids related to account lockout and no luck, could not find much in there. Maybe someone here knows a simpler way to investigate. Thank you.
0
Comment
Question by:jdff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41792328
Have you enabled all the audits?

Audit account logon events:

https://technet.microsoft.com/en-us/library/cc976367.aspx

Audit logon events:

https://technet.microsoft.com/en-us/library/cc976395.aspx
0
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 41792591
If you haven't already, create another Admin level account to use for the times that the primary account is locked.
0
 

Author Comment

by:jdff
ID: 41792623
Hi Larry,
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 41792626
Netwrix Account Lockout Examiner (free) is a freeware tool that alerts you to account lockouts in real time and helps you quickly troubleshoot and resolve them. It can send email notifications on account lockouts in the managed domains to specified recipients. However, the free version does not have the Role-based security for delegated help desk operator access and Help-Desk Portal for web access. These are in an Enterprise edition if the freeware prove worthy for consideration after trying it out.
https://www.netwrix.com/account_lockout_examiner_editions.html

You may want to try out the freeware as a start for the examination. For the details, it is best to look at the guides.
When you launch examination, Netwrix Account Lockout Examiner performs the
following six examination tasks:
 Examination of COM objects
 Examination of Windows services
 Examination of scheduled tasks
 Examination of logon sessions
 Examination of drive mappings
 Examination of invalid logons
User guide -
https://www.netwrix.com/download/QuickStart/Netwrix_Account_Lockout_Examiner_QuickStart_Guide.pdf

Admin guide -
https://www.netwrix.com/download/documents/Netwrix_Account_Lockout_Examiner_Administrator_Guide.pdf
0
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 41792644
One reason this could be happening is if port 3389 is forwarded to the IP of the SBS and someone is using such as TSgrinder to brute force connect.
0
 

Author Closing Comment

by:jdff
ID: 41797302
Looks like this will do the job, I will update this post once confirmed.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question