Tracking Source of Account Lockout
Posted on 2011-03-21
Got about 120 Windows XP Professional SP3 workstations running in a Windows Server 2003 R2 x64-based Active Directory environment.
A few days ago, started having a particular user account -- an administrator account -- that is getting repeatedly locked out. Unlock it, wait a few minutes, locked out again.
My best guesses are that either someone is trying a brute force attack to compromise it (unlikely) or that there's a scheduled task laying around the network somewhere that's repeatedly trying to access it using an old password (likely).
Can someone suggest a way to track where the failed login attempts, and ultimately lockouts, are coming from?