jdff
asked on
Windows 2008 SBS admin account lockout and audit.
I've just started to take control of a small network with Windows 2008 SBS and have faced occasions that the administrator account is locked due to too many login attempts, is there a easy way to audit this behavior and find out who is locking it up? I have looked at the event log for event ids related to account lockout and no luck, could not find much in there. Maybe someone here knows a simpler way to investigate. Thank you.
If you haven't already, create another Admin level account to use for the times that the primary account is locked.
ASKER
Hi Larry,
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One reason this could be happening is if port 3389 is forwarded to the IP of the SBS and someone is using such as TSgrinder to brute force connect.
ASKER
Looks like this will do the job, I will update this post once confirmed.
Audit account logon events:
https://technet.microsoft.com/en-us/library/cc976367.aspx
Audit logon events:
https://technet.microsoft.com/en-us/library/cc976395.aspx