I'm hitting a wall with this one.
I have a single AD account, who we can refer to as RWATERS. RWATERS is constantly getting locked out on a regular basis. Using the AccountLockoutTool provided my Microsoft, I can see the originator DC for the lockout along with the bad attempts across our 5 DC's. My problem is that when I get the security logs for ANY of the DC's, I only get 4768 and 4769. I've remoted into each one individually and used combeventMT and both yield the same results. Lots of successes, and NO failures.
I've updated our default domain policy and set Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy to log Failure for Audit Account Logon Events and Directory Service Access and then ran a gpupdate /force on all the DC's but the results are the same.
At this point, I'm wondering if I'm experiencing replication issues on my DC's. However, dcdiag /test:replications on all the DC's come back successful. Furthermore, it's not widespread. It's the same account consistently.
I have co-workers suggesting the nuclear options of creating a new AD account or deleting and recreating the existing one but I'm absolutely not a fan of that. I'll open a case with MS if it gets that dire, but you guys are the smartest dudes in the room so I came here first.