Account Lockout

We have a user on our domain whose account keeps getting locked out.  I installed the lockout tools from microsoft and from doing an event comb the computer that keeps sending pre-authentication failures is the mail server.
The events i see are in the attached file
IP 10.5.0.5 is the mail server
Thanks
lockout.txt
LVL 1
jduawaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chikenheadCommented:
someone is trying to hack the users email
0
Delphineous SilverwingGood Ol' GeekCommented:
There is a possibility that the person left Windows logged in and Outlook open at another workstation, then at some point changed their password.  Since this other location is still logged in, using a persistent application like Outlook, the user account locks out.  Check your security logs for the IP address of the failure audit source - now you have the machine cause the lockout.
0
MarkMichaelCommented:
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

jduawaAuthor Commented:
Delphineous:
The log indicates the ip is the mail server.

MarkMichael:
There are 175 computers in the school that the user could have logged into, but unlikely that they left any session logged on, any other thoughts

Thanks
0
Delphineous SilverwingGood Ol' GeekCommented:
Is Outlook Web Access offered?  If a session were left logged on in a browser using the "This is a private computer" selected, then the mail server would show as the source.
0
jduawaAuthor Commented:
i tried sending bad passwords while logging into OWA and it was a different message than the 675 that is in the event viewer
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.