Active Directory Account Locked Out

A particular users account has begun to continually lock out (past month) no new software has been installed. The lockout can occur while user working on the PC/or while PC stationary .ie during lunch or up to 45 minutes after login out? Any ideas as to what could be causing this to occur?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph DalyCommented:
First thing first download lockout tools. This will let you see what time and on what DC the account is locking out from. Once you find that event post it here and we can tell you more of whats going on.
Is RDP open to the outside world? This can be an issue.
Also chck any remote devices connecting as the user.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
More specifically, in the lockout tools download that was mentioned earlier there is a tool called - LockoutStatus. This tool, will allow you to see what domain controller locked the user account. From there, you should log on to the domain controller and look at the security event logs. That should narrow down the issue.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

The Lockout tool referenced by xxdcmast will help you determine which dc locked the account based on failed login attempts. It includes an event data gatherer which you would need to use to collect failed login security event id 528, 530
This will help you locate the system from which the requests are being generated.

Along the path of PenguinN, if you have terminal servers, the user might have an active session that was established prior to the user's recent password change outside that terminal session.
Barnardos_2LSAuthor Commented:
We have already installed the lockoutstatus upon users PC.... please  find attached  the HODC1 lockout details...
Did you mean to attach, embed hofdc1 report of events?
Barnardos_2LSAuthor Commented:
Yes as per the request from xxdcmast - ID37746920. Not sure if the events log is of any help though?
I do not see anything attached perhaps because of what I amusing, the event log should tell you the some of the request which you should thn heck for virus,etc.
Note a session established prior to a user changing their password in a different session or another computer would explain this issue because the original question has a token for their credential with the now incorrect password.
If the user must maintain that session, they must change/update their password within that session which will update the cached credentials.
Barnardos_2LSAuthor Commented:
An open RDP session was discovered. Once this was closed the issue no longer occurred.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.