Account Locks out frequently

We have one user and their account keeps getting locked out. We have LockoutStatus.exe running on the DC and it seems that there is a bad password attempt about every 10 minutes. There are no security logs on the user's computer or the DC that coorespond to any of the times that the account has been locked. We have shut his computer off and monitored his account. With the computer off the account still locked, so we have determined that it is another computer on the network. How can I find what computer is causing this issue. I have also tried using EventCombMT and it founf nothing. Anyone have any ideas? The workstations are all running XP and the DC is running Server 2003.
Thanks.
SynergonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

i2q2Commented:
Check if Account Audit is enabled on the server. If this is enabled then you should have the logs of Bad logins which should give you an idea about where the attempts are coming from. Looks like it a system service that is trying to logon using the user account.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SynergonAuthor Commented:
Thank you that did help. I enabled account audit on the DC and was able to find the logs where it was locking the account. I am a little confused about the results. It says that the Logon was attempted by MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
and that the source workstation is our exchange server.

Here is what the security event says:


Date: 11/6/2008     Source: Security
Time: 1:21:09          Category: Account Logon
Type: Failure Aud    Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: DC

Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      user's email address
 Source Workstation:      Exchange server
 Error Code:      0xC000006A


Any further help would be greatly appreciated. Thanks
0
i2q2Commented:
0
SynergonAuthor Commented:
Thank you for your help. We were able to track the problem down to a misconfigured blackberry.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.