Dear all!
We are using commonly used accounts like scanner, security, hr and sometimes they gets locked. Out of nothing. My guess is that someone trying from outside via rdp. We using lockout, so the accounts gets blocked, which is nice, no more attack, but when people trying to use the account, they cant, because it is locked. When i look the eventviewer at the dc, when i find the lock out event, the caller computer (hope transleted correctly, meaning where is the lock originated), is empty. If i look the TermialServices-RemoteConnectionManager \operational events i only see that the TCP listerer got a connection (no more info) and after 40 seconds the account is locked.
There is an option to rename these accounts, but, i am not 100% sure it is comming from outside, and some other method to prevent this would be nice.
Any ideas are welcome
Thank you
Peter