Solved

Windows 2008 SBS admin account lockout and audit.

Posted on 2016-09-09
6
71 Views
Last Modified: 2016-09-13
I've just started to take control of a small network with Windows 2008 SBS and have faced occasions that the administrator account is locked due to too many login attempts, is there a easy way to audit this behavior and find out who is locking it up? I have looked at the event log for event ids related to account lockout and no luck, could not find much in there. Maybe someone here knows a simpler way to investigate. Thank you.
0
Comment
Question by:jdff
6 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41792328
Have you enabled all the audits?

Audit account logon events:

https://technet.microsoft.com/en-us/library/cc976367.aspx

Audit logon events:

https://technet.microsoft.com/en-us/library/cc976395.aspx
0
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 41792591
If you haven't already, create another Admin level account to use for the times that the primary account is locked.
0
 

Author Comment

by:jdff
ID: 41792623
Hi Larry,
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41792626
Netwrix Account Lockout Examiner (free) is a freeware tool that alerts you to account lockouts in real time and helps you quickly troubleshoot and resolve them. It can send email notifications on account lockouts in the managed domains to specified recipients. However, the free version does not have the Role-based security for delegated help desk operator access and Help-Desk Portal for web access. These are in an Enterprise edition if the freeware prove worthy for consideration after trying it out.
https://www.netwrix.com/account_lockout_examiner_editions.html

You may want to try out the freeware as a start for the examination. For the details, it is best to look at the guides.
When you launch examination, Netwrix Account Lockout Examiner performs the
following six examination tasks:
 Examination of COM objects
 Examination of Windows services
 Examination of scheduled tasks
 Examination of logon sessions
 Examination of drive mappings
 Examination of invalid logons
User guide -
https://www.netwrix.com/download/QuickStart/Netwrix_Account_Lockout_Examiner_QuickStart_Guide.pdf

Admin guide -
https://www.netwrix.com/download/documents/Netwrix_Account_Lockout_Examiner_Administrator_Guide.pdf
0
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 41792644
One reason this could be happening is if port 3389 is forwarded to the IP of the SBS and someone is using such as TSgrinder to brute force connect.
0
 

Author Closing Comment

by:jdff
ID: 41797302
Looks like this will do the job, I will update this post once confirmed.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question