I need a simple step-by-step procedure for tracking down a reason or source of why a specific user account is getting locked out. I have a vague understanding of the process but everything seems all over the place as far as he info that has been returned on what to do and how to interpret data for gathering the right info. I'm not even sure what I'm looking for... I need to know these simple things: 1. Any kind of connection to why it would be locked out without that user actually doing, including: The computer ID where the attempted login failed; The time it occurred; anything else relevant. Allow me to explain the strange occurrence that is happening and why this may be a challenge... A user on our network noticed one day that his account was getting locked out randomly and not by means of his own activity [he has administrative privileges, so this issue is a big concern]. He would already be logged on to his own workstation doing normal activities, and suddenly his cellphone would alert him that emails could not sync. The reason why, he found out, was because his user account was locked (Active Directory network - locks user accounts after 3 bad attempts), even while logged in at his workstation (if he logged out or the screensaver kicks in, he would not be able to log back in since it would be locked). Logs and timing have shown that the exact time the Network Administrator (Domain) account logs into another PC (only one specific PC, not any other so far from what we can tell), his network user account gets locked out. We've removed any local/domain account profiles of his that were once on there, he rarely uses that PC if at all anyway, we have Symantec Endpoint Protection running in realtime on it, we've run MalwareBytes (full scan), TDSSKiller, the system is fully patched and up to date security-wise, and there are no viruses or alerts found from any of them, nothing bad has happened using his account since this started happening anyway, nor is there anything else out of the ordinary. Here's the kicker... when this first started happening, the other PC (where the Net Admin would log on) did not even have SP1 on it since it hadn't been patched/updated in some time (Win 7 32bit)(it did have an up-to-date antivirus program running at all times, however), so when I finally patched/updated it (this is after scanning and not finding anything), it suddenly stopped. Then, today, it suddenly started happening AGAIN, the same exact time the Net Admin logged in (and there were no issues when logging in as Net Admin on that PC). Nothing out of the ordinary had been done with or to the other PC since that update, no alerts were raised and it's been used several times (under the net admin account) without issue. How is this possible? This does not happen with any other Administrative accounts, only his when the Net Admin logs onto THAT PC only, not anywhere else. It seems that SOMETHING triggers a false login attempt (3 instant, invisible failed attempts?) with his account, but what would a successful login of the Net Admin have to do with this? I would much rather avoid it but if all else fails, the PC gets blown away and a clean install... but how will I know it won't happen again? Is it IP related? PC-Name related? Is it his account? Anyone ever seen anything like this?

Hi Johnny, Thanks for posting in Microsoft TechNet forums. It is possible that some Windows service is configured to start with this specific user account and its password which cause the account lockout. I suggest we check the articles below: Maintaining and Monitoring Account Lockout http://technet.microsoft.com/en-us/library/cc776964.aspx Troubleshooting Account Lockout http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx Hope the information can be useful to you. Regards Kevin

Hi Johnny, Thanks for posting in Microsoft TechNet forums. It is possible that some Windows service is configured to start with this specific user account and its password which cause the account lockout. I suggest we check the articles below: Maintaining and Monitoring Account Lockout http://technet.microsoft.com/en-us/library/cc776964.aspx Troubleshooting Account Lockout http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx Hope the information can be useful to you. Regards Kevin

Hi Kevin, Are there similar links to instructions like in the above links for a 2008 domain controller?

Hi Johnny, Please understand that although the links are for Windows Server 2003 system, the troubleshooting steps can also work in Windows Server 2008 system. Regards Kevin

Hi Johnny, Please understand that although the links are for Windows Server 2003 system, the troubleshooting steps can also work in Windows Server 2008 system. Regards Kevin