Solved

Windows 2008 SBS admin account lockout and audit.

Posted on 2016-09-09
6
47 Views
Last Modified: 2016-09-13
I've just started to take control of a small network with Windows 2008 SBS and have faced occasions that the administrator account is locked due to too many login attempts, is there a easy way to audit this behavior and find out who is locking it up? I have looked at the event log for event ids related to account lockout and no luck, could not find much in there. Maybe someone here knows a simpler way to investigate. Thank you.
0
Comment
Question by:jdff
6 Comments
 
LVL 18

Expert Comment

by:awawada
Comment Utility
Have you enabled all the audits?

Audit account logon events:

https://technet.microsoft.com/en-us/library/cc976367.aspx

Audit logon events:

https://technet.microsoft.com/en-us/library/cc976395.aspx
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
Comment Utility
If you haven't already, create another Admin level account to use for the times that the primary account is locked.
0
 

Author Comment

by:jdff
Comment Utility
Hi Larry,
Yes, I did create another one, but still need help finding where the lock originated. Awada, I will check on that, but looks like it may have been enabled.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Netwrix Account Lockout Examiner (free) is a freeware tool that alerts you to account lockouts in real time and helps you quickly troubleshoot and resolve them. It can send email notifications on account lockouts in the managed domains to specified recipients. However, the free version does not have the Role-based security for delegated help desk operator access and Help-Desk Portal for web access. These are in an Enterprise edition if the freeware prove worthy for consideration after trying it out.
https://www.netwrix.com/account_lockout_examiner_editions.html

You may want to try out the freeware as a start for the examination. For the details, it is best to look at the guides.
When you launch examination, Netwrix Account Lockout Examiner performs the
following six examination tasks:
 Examination of COM objects
 Examination of Windows services
 Examination of scheduled tasks
 Examination of logon sessions
 Examination of drive mappings
 Examination of invalid logons
User guide -
https://www.netwrix.com/download/QuickStart/Netwrix_Account_Lockout_Examiner_QuickStart_Guide.pdf

Admin guide -
https://www.netwrix.com/download/documents/Netwrix_Account_Lockout_Examiner_Administrator_Guide.pdf
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
Comment Utility
One reason this could be happening is if port 3389 is forwarded to the IP of the SBS and someone is using such as TSgrinder to brute force connect.
0
 

Author Closing Comment

by:jdff
Comment Utility
Looks like this will do the job, I will update this post once confirmed.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now