This is using MS Windows 2012R2 AD. Found that the server and domain user account were locked out suddenly. Please see the error message,
Security ID: S-1-5-18
Account Name: MAILSrv2$
Account Domain: WYN
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: S-1-5-21-2396463283-3790571017-4125249057-1624
Account Name: administrator
Caller Computer Name: MAILSrv2
Although both accounts can be reset and back to normal now, but they were locked out out of sudden?
Thanks in advantage
is your server fully patched?
This Mail used to be exchange server, however, since all mailbox been migrated to office365, all the exchange services were stopped.
Any way to trace for the possibility of password failures? through event viewer or so?
through event viewer or so?
seems you already did that with your pasted security log output
check for any scheduled tasks to run as administrator; maybe the password changed and the task tries to run with the old password?
and what "both accounts"? your message only shows administrator
also, the SID referenced ends in 1624 which tells me it is a local account, not the domain administrator which would end in 500
You are right, found the gpo for password account lockout set for 3 failed attempts.