Logging in to Windows via RDP - Event 4625 - Account Lockout

mike_2 21 Reputation points
2020-12-16T23:24:32.983+00:00

I searched for some answers to this question, but not finding anything....

I am looking in event viewer at attempts to log on to a Windows machine via RDP. I have a policy in place to lock an account after 3 failed sign in attempts. This is a standalone Windows machine with a few local users.

I am seeing numerous entries for event ID 4625. There are multiple attempts being made to login to the machine with various usernames, including 'Administrator'. The administrator account is enabled for remote login.

I'm wondering why the administrator account isn't getting locked out with these failed login attempts? If I try to log in with a user and provide a bad password 3 times, it locks it out - this is expected. I'm expecting to see the administrator account locked out too, but it isn't.

If I look at the 'Administrator' user information (computer management, local users), the 'account is locked out' check box is checked, but the account isn't locked out. At least it isn't when I try to log on with it. It works.

Why isn't the administrator account getting locked out? Shouldn't it be, from these failed login attempts?

I'd appreciate any feedback. Thank you.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,451 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,234 questions
0 comments No comments
{count} votes

Accepted answer
  1. Karlie Weng 13,951 Reputation points Microsoft Vendor
    2020-12-17T05:55:58.96+00:00

    Hello @mike_2

    "A lockout threshold policy will apply to both local member computer users and domain users, in order to allow mitigation of issues as described under "Vulnerability". The built-in Administrator account, however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot sign in to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password."

    Security considerations

    Hope this is what you looking for.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards
    Karlie


0 additional answers

Sort by: Most helpful