Image this – a user used his own account to test a service on his own computer. The recovery option for the service was set to restart indefinitely. He tested the service and forgot about it. Until one day, it was time for him to change his password. Suddenly, this user was locked out. Help desk unlocked his account and then after awhile, his account was locked out again!
The same thing could also happen to a scheduled task that run using a personal account, or a cached password for mapped drive, etc.
How do we trouble shoot such issue? First thing first, we would need go download Microsoft Account Lockout and Management Tools from the following website https://www.microsoft.com/en-us/download/details.aspx?id=18465
Once you have it installed, open it up and click on File -> select target to type in the user account name.
if I have a domain Kennyl.us and my user account is Kenny, that’s what I am putting in this field.
From the locked out report, we can see the “last bad pwd” time, look for the newest time, and then see where the “Orig Lock” came from.
You would then access the Event Viewer of that domain controller that locked this account, and search for event ID 4740 in the Security Log.
Now, if there are multiple event 4740 for multiple users, you will have to look for the correct one that has the user name in Security ID and Account Name. What we are looking for is the Caller Computer Name field. This is the computer that the user account attempted to logon and caused the locked out. Once we have that information, we will need to access the Event Viewer of this computer. Filter out Event ID 4625 in the Security Log and try to see what is getting the account locked. Here is a list from Microsoft that describe the logon type to identity what is using the user account. (Taken from https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625)
From here, I see that the bad password had logon type 5, and that is coming from a service. I go to services.msc from the user computer and check for any services running with his account. I asked the user to either update the password of this service or disable it if he is no longer using it. Once he disabled the service, we no longer see his account locked out.