To find the source of an account lockout, look in the local Event Viewer>Security, and look at the Failure Audits, for any that match either SYSTEM, or the UserID in question. If you find any, open the log entry, and you will see a Logon Type entry, with a numerical Value. That value is the key to the source of the lockout. See the following article for an excellent description of the codes.
Logon Type Codes Revealed
Also, you can install the Account Lockout Tools from Microsoft.
Download details: Account Lockout and Management Tools
Also, Microsoft recommends to use this in conjunction with Net Logon Debug Logging enabled as well. Personally, I have had results without having to review that log, so I will concentrate on these tools alone...
Enabling debug logging for the Net Logon service
As for the Account Lockout Tools, there are two (that I think are the most beneficial), ALockout.zip (which contains alockout.dll, and appinit.reg) and AloInfo.exe. These will give you the most information about the local system.
Extract both of these, and extract to C:\Altools. Merge appinit.reg into the registry, and reboot the PC. Once installed , the next time a lockout occurs, it will produce the logfile at C:\Windows\Debug. It can sometimes be cryptic to look at, but if you have a corresponding failure in the Security Log, you can match the timestamps to a specific process. Remember to unregister the alockout.dll once you are finished tracking it down. This can be done by going to Start>Run>Regsvr32 /u <pathtofile\alockout.dll, and delete the DLL from the directory.
This can be used from a command prompt, to easily dump information about Stored Credentials for Drive Mappings and Services. Go to Start>Run>Cmd.exe, and enter the following (you can copy/paste both lines, and hit enter), and Notepad.exe will open the newly created log file.
aloinfo.exe /stored /server:\computername >lockout.txt
From there, you can review the logs to see if you can identify what is configured to use the credentials that keep locking out.
Once you have the source of the lockout, it will help to find out where you should be looking for the problem. These are some of the most common places to look.
Look through the Services, for anything running under their UserID (this is the same information that AloInfo.exe gives you, just doing it manually). Might need to add the Log On As column in the view, by clicking on View>Customize.
Look at Mapped Drives that are User Created (not created by Logon Script). Start>Run>Cmd.exe, and enter net use. You will see a list of resources, that the local machine will have a connection to, whether it is a Mapped Drive, or simply a UNC share.
Start>Run>control keymgr.dll, and remove any entries listed, for stored password entries.
Look in Control Panel>Scheduled Tasks. Any errors saying it The Scheduled Task did not run because an incorrect username or password was entered. Either supply alternate credentials, or delete the job.
On a Domain, and the lockouts are not occurring on the local machine, the logs from the Domain Controller will need to be reviewed, to find the source of the problem. In the Security Logs, there will be similar entries, but there will be a Workstation Name value, which should give you the remote PC, or IP address. Once you have the source, then you can go through the steps above, to find the source.
Logs can be an extremely powerful tool to find most common problems. When Windows has a problem, usually it will tell you where the problem is, you just need to be able to find it....
John aka johnb6767