I searched for some answers to this question, but not finding anything....
I am looking in event viewer at attempts to log on to a Windows machine via RDP. I have a policy in place to lock an account after 3 failed sign in attempts. This is a standalone Windows machine with a few local users.
I am seeing numerous entries for event ID 4625. There are multiple attempts being made to login to the machine with various usernames, including 'Administrator'. The administrator account is enabled for remote login.
I'm wondering why the administrator account isn't getting locked out with these failed login attempts? If I try to log in with a user and provide a bad password 3 times, it locks it out - this is expected. I'm expecting to see the administrator account locked out too, but it isn't.
If I look at the 'Administrator' user information (computer management, local users), the 'account is locked out' check box is checked, but the account isn't locked out. At least it isn't when I try to log on with it. It works.
Why isn't the administrator account getting locked out? Shouldn't it be, from these failed login attempts?
I'd appreciate any feedback. Thank you.