Hello,
On a Windows Server 2008 R2 domain, I have turned on auditing to try and determine the source that keeps locking out an admin account every 30 minutes or so. Looking at the security event log on our domain controllers, I see Event IDs 4740 and 4776 that correspond to each account lockout instance. The problem is that the Caller Computer Name is blank for Event ID 4740 and the Source Workstation is also blank for Event ID 4776.
I am using Microsoft's Account Lockout Status, as well as a few other account lockout troubleshooting tools, to try to identify a device name or ip address. The closest I've found is a machine named "RDESKTOP" which just tells me it is being caused by some remote desktop device.
Does anyone have any suggestions on how to determine the name or ip address of RDESKTOP so that I can track it down and ultimately figure out where an old password is trying to be repeatedly used causing a user's AD account to be locked out every 30 minutes or so?
Thank you in advance for any advice or suggestions on how to track down the real source of the constant account lockouts.
-Marc