I have been getting emails that a user is locked out, but when checking AD, he is not locked. I am using netwrix account lockout tool that sends me the emails.
When using Netwrix account lockout examiner, it shows locked out, as it's the application sending me the emails.
When using the windows lockout status application, it also shows me locked out.
The user has a mac laptop, his computer account is NOT a domain account. I had him log into OWA and it worked fine, he is not locked out.
He also logged into the office wifi, which is bridged to my LAN, thus, the user needs to use the domain account to login, and it worked fine, he's not locked out.
I confirmed with the user, he has not changed his password for months, and all his apps on his phone work fine as well.
I logged on to my DC, and the last entry in the application log was from 11 am, and it's now over 3 pm, so nothing in the application log.
I checked the system log and there's no entries that pertain to system lockouts anywhere within 5 minutes prior or after I got the email.
I know there are logs under Microsoft-Windows, but not sure at what other logs to look at.
Any idea's where I can look to figure out why this user is getting locked?
In AD administrative center, the user shows to be locked, but I had the user log into OWA and he was able to log in just fine. If he was locked, it wouldn't allow him to log in.
I can run wireshark, but since I'm not sure what exactly is causing lock, I would have to go through to much data to try ti find something using wireshark.
Any thoughts of how I should approach this?