Why frequent account locked out - Event ID 4740

We have frequent account locks out that seem to be origination at user's workstations:

A user account was locked out.

Subject: Security ID: S-1-5-18

Account Name: DomainController$

Account Domain: NT_DOMAIN

Logon ID: 0x3e7

Account That Was Locked Out: Security ID: S-1-5-21-2030126595-979527223-1756834886-1337

Account Name: JohnS

Additional Information: Caller Computer Name: JohnS-PC

It affects only certain workstations on the domain, and we cannot pinpoint what is actually causing this behavior. We started noticing it last week - on the day we have added New routable UPN Suffix to all domain users. We have no idea if this is the cause or just a coincidence - we've seen this happening before, but it was usually caused by phones or persistent network connections. Any ideas how to tracked down a problem?
singringAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You sure it is not due to a mapped drive. Or something similar. Try this tool from Sourceforge:
http://sourceforge.net/projects/adlockouts/
0
singringAuthor Commented:
100% sure not a mapped drive or existing network connection. In couple of cases we had cleaned stored credentials on the affected workstation and it fixed problems. We have also notice d lots of kerberos pre-authentication failed errors (event 5771) and account was logged off (event 4634). We enabled "Do not require kerberos pre-authentication" on 2 accounts and it fixed a problem - not a single lockout.
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Stored credentials always becomes an issue after password changes as well as activesync devices which will require passwords to be changed.
0
singringAuthor Commented:
100% right, but in this case we've cleared all stored credentials and activesync is not an issue in this case (we do not host our exchange and just preparing to implement federation).
0
singringAuthor Commented:
Long story short - we've found it was Outlook locking the accounts (we added UPN suffix to prepare to implement AD federation service).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.