question

mike2-1798 avatar image
0 Votes"
mike2-1798 asked mike2-1798 commented

Logging in to Windows via RDP - Event 4625 - Account Lockout

I searched for some answers to this question, but not finding anything....

I am looking in event viewer at attempts to log on to a Windows machine via RDP. I have a policy in place to lock an account after 3 failed sign in attempts. This is a standalone Windows machine with a few local users.

I am seeing numerous entries for event ID 4625. There are multiple attempts being made to login to the machine with various usernames, including 'Administrator'. The administrator account is enabled for remote login.

I'm wondering why the administrator account isn't getting locked out with these failed login attempts? If I try to log in with a user and provide a bad password 3 times, it locks it out - this is expected. I'm expecting to see the administrator account locked out too, but it isn't.

If I look at the 'Administrator' user information (computer management, local users), the 'account is locked out' check box is checked, but the account isn't locked out. At least it isn't when I try to log on with it. It works.

Why isn't the administrator account getting locked out? Shouldn't it be, from these failed login attempts?

I'd appreciate any feedback. Thank you.

remote-desktop-serviceswindows-server-2019remote-desktop-client
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KarlieWeng-MSFT avatar image
0 Votes"
KarlieWeng-MSFT answered mike2-1798 commented

Hello @mike2-1798

"A lockout threshold policy will apply to both local member computer users and domain users, in order to allow mitigation of issues as described under "Vulnerability". The built-in Administrator account, however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot sign in to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password."

Security considerations

Hope this is what you looking for.



If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards
Karlie

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is exactly what I was looking for and answers the question precisely. Thank you!

0 Votes 0 ·