WHile trying to see why/when a users sign on got locked out, i was looking thru the Event Viewer / Security log.
Seems there were a ton, I mean A TON of Success Audit from very late night from a multitude of pc's that i know users are not signing onto.
Most entries are :
ID 540 - Successful Network Logon
ID 538 - User Logoff
ID 680 - Account used for logon by
Does anyone know why so many entries that shouldnt be?