One user locked out over and over again. Not typing in the wrong password.

We have one user who keeps getting locked out of her account when trying to login to her computer.  She can come in at the start of her shift, and she is locked out on her first try.  The IT staff will unlock her, then a few hours later, we get a call from her that she is locked out again.  We have rebuilt her profile on the local machine, still have the problem.  We switched her to another machine, and she is still getting locked out.  Over that last few weeks, we have tried having her call us before she logs in to check if she is locked out before she logs in.  She is locked out and a few times, she isn't locked out, but then a few hours later, she is locked out.  Changed her password, locked out using the new password after one try.  I have also reinstalled Windows 10 and reinstalled all programs and files she needs on the off chance there is a program trying to login for her under an old password.  This also did not fix the problem.  We have checked event viewer and don't see under her username.  We have also tried logging in for her using her credentials while she is standing there, and she will be locked out.  This doesn't happen all of the time, but more likely than not it happens.  Any help would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michal ZiembaIT AdministratorCommented:
I had some similar issues a long time ago.
Check out the mobile phone/iPad/tablet if it tries to sync her mailbox - maybe it still uses the old password.
If this wouldn't help I suggest to give a try of the ADAudit Plus by ManageEngine. There is a trial version and this should tell you from which host the user tries to log in when it is using the wrong password.
yo_beeDirector of Information TechnologyCommented:
Did she recently change her password?
Does she have a mobile device connected to Active sync?
When did this start happening? (Around he same time as password change)
Is she logged into another computer on the network that has an old cache password?

This is a good tool to use:
Once you find the DC that has the event log in the security.  Open that Event Viewer and look for an failure event around that time stamp.
i assume you scanned for virus and malware?  if not, use these :
1- update the AV - and run a full scan
2-then run these :ttp://                         MBAM
3-                  Roguekiller
4-                              ADAWARE
5-        JRT
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Shaun VermaakTechnical SpecialistCommented:
Follow my Account Lockout Investigation Process. Let me know if you have any questions.
austin minorCommented:
Start checking service, program, schedule task, etc..

Do you have mapped network drive?

Did you enable NTLM logging?

Follow this article to troubleshoot account lockout issue. Here is an informative article which can help you to find the cause and source of account lockout.
JuneaucountyAuthor Commented:
Do I put AD Audit Plus right on the Server or does it need to be ran from the local machine?  I only ask because we switched her from one laptop to another laptop and we are still having the issue.  

To answer some of the questions some of you have had.  She has changed her password a few times since we have started investigating this process.  I know this has been going on for some time now.  He have scanned her laptop and we don't see any virus or malware.  There isn't a smartphone/tablet that is using her account.  She only has the laptop.  Thank you for the help.
yo_beeDirector of Information TechnologyCommented:
You need to use the event logs from your DC to see what IP address is the triggering point. It maybe the laptop or could be generated from a server. Without narrowing this down it will be looking for a needle in a haystack.

There are plenty of links in this thread pointing you to methods to isolate the issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.