Administrator account keeps getting locked out. Can't trace source
5,753
I was able to resolve the issue by turning on NTLM auditing under the Local Security Policy. (Local Security Policy\Local Policies\Security Options\Restrict NTLM Audit)
It appears that an attacker was trying to gain access by brute forcing RDP authentication. The NTLM gave me the name of the computer with open RDP access and I was able to to resolve the issue by locking it down.
Related videos on Youtube
05 : 56
Administrator Account - Enable or Disable in Windows 10
10 : 49
"To continue, type an administrator password, then click ..." Yes button greyed out - Solved
06 : 40
Find the Source of Account Lockouts in Active Directory
12 : 33
How to resolve frequent account lockout issue
07 : 49
Active Directory account lockout issue
Author by
rb195048
Updated on September 18, 2022Comments
-
rb195048 over 1 year
The Administrator account keeps getting locked out. The Event logs and Netlogon logs confirm that the account is getting locked out, but the source computer name isn't provided (it is blank). See screenshots below are from the Event log and Netlogon log. How can I find the source of the account lockout? Thanks!
-
rb195048 over 7 yearsI've ran a wireshark capture on the DC and all the IP's that are hitting it are local (i.e. there is nothing foreign hitting the server). The only traffic that seems to be hitting it is normal domain controller type traffic. Is there anything specific I need to be looking for?
-
joeqwerty over 7 yearsI've ran a wireshark capture on the DC and all the IP's that are hitting it are local- How would a non-local host get access to your DC? Are you thinking a remote user or smartphone/tablet?