AD Account lockout troubleshooting and tracing

I have an AD account of a user that keeps getting locked out.  When I look through the logs I can see that the login requests are coming from another user's computer.  This all started happening when we moved the two users mailboxes over to Exchange 2010, which might or might not be coincidence.  Now that I have it narrowed down to the offending computer, how can I figure out what process or application is passing over the bad credentials?  
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Look at the services using services.msc. Pointing the service using the user credentials is straight forward (the last column says "Logon As").
Adjust the password used by the service and your good (or use different credentials).
Mike KlineCommented:
Looking at services is a good suggestion.  The AD troubleshooting team had a really good blog entry that shows how to use some Microsoft tools to help you track this down.


If you have "529: Logon Failure - Unknown user name or bad password" events in the event log, you can use the "Logon Type" information in the event to narrow down the cause

For example:
Logon Type 2 - Someone is interactively entering the password on the workstation
Logon Type 4 - Password is being entered via batch file (usually called by a scheduled task)
Logon Type 5 - Password is being entered  via a Service
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

As an extension to Mikes comment you can look at the Caller PID in the event and see if you see what process the PID belongs to on the suspicious computer.
You can run procmon on problem machine & see which process is causing the issue.
jpletcher1Author Commented:
I read this below in another forum and it turned out to fix my issue.  Thanks everyone for your input and suggestions!

This is for anyone that hasn't resolved this... I had this same issue and it turned out to be a Managed Passwords issue. I never added it myself and don't know how the mail server was populated in there, but in the : Control Panel -> User Accounts -> Advanced tab -> Manage Passwords, I had an entry for our mail server with my email address specified with a blank password. This messed up any session I wanted to have with the mail server, including Outlook, RDP, UNC, anything at all.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.