The Administrator account keeps getting locked out. The Event logs and Netlogon logs confirm that the account is getting locked out, but the source computer name isn't provided (it is blank). See screenshots below are from the Event log and Netlogon log. How can I find the source of the account lockout? Thanks!
Best Answer
I was able to resolve the issue by turning on NTLM auditing under the Local Security Policy. (Local Security Policy\Local Policies\Security Options\Restrict NTLM Audit)
It appears that an attacker was trying to gain access by brute forcing RDP authentication. The NTLM gave me the name of the computer with open RDP access and I was able to to resolve the issue by locking it down.