I have had a problem with an account in our domain for some time. It got locked out about once per hour after a password change. It turned out to be used as DNS dynamic update on the DHCP scope.
To identify what Domain Controller the lockout came from. I used altools from Microsoft.
Just start lockoutstatus.exe, and enter the username. This will give you a list of all the Domain Controllers and where the lockout originated from. Take a notice on the time stamp on when it happened, and log in to that particular Domain Controller. Head for the security log and find the time stamp you found in the account lockout tool. The failure code tells you why it failed (0x18 I think is wrong username or password). You will also find the IP address of the culprit.
This is where my problem started. The IP address I found in this security entry was 127.0.0.1. I could not find anything on the server that was the reason for locking out that account, so I started to look for viruses... nada. Until I FINALY come over a post that described the same issue. That damn DHCP scope DNS dynamic update credentials thing.
Well, well. It's solved now. I am happy :)
Some other reasons that can cause account lockouts:
- schedual task
- disconnected RDP/Citrix session
- other 3rd party software with hardcoded credentials
btw... I also tried the alockout.dll from altools. It didn't give me any information on this issue. I don't think it is possible to find anything in any logs.