Windows 2003 Domain, 25+ XP Users.
I inherited this domain recently, it had no password security policy enabled, so I did so.
As soon as I did, certain users began to get locked out immediately.
I proceeded to enable detailed logging, and find my logs flooded with the following:
User Name: username
User ID: DOMAIN\username
Service Name: krbtgt/DOMAIN.COM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.1.X
This event is logged by 4 users only, in spurts of 6 events, every 2-3 minutes. Only these 4 users exhibit the failures.
I have gone in, deleted mapped drives, analyzed logons for services, checked for virii, etc.
After hours, the events do not appear. I open files, test applications, log on and off repeatedly, and I do not see these logs.
In practice, every night I attack the issue, and I believe it to be solved; the next morning the issue reappears.