I have been troubleshooting some account lockout problems for 2 of my users. Both are using fresh Windows 7 images. One of them was previously using Windows XP and when I decided to reimage his PC, I just went ahead and upgraded him. The problem was occurring on XP before I reimaged him (that was actually part of the reason I did). I tried using alockout.dll to troubleshoot, but it doesn't appear to create a log file on Windows 7. The other tools haven't turned up anything useful. I can't find anything in the event log that matches up, and so far I can't find anything with stored credentials that may be causing an issue. Are there any other tools/methods I could try on his machine to track down the cause?

Hi, you didnt tell a lot about the environment. Especially: Local user accounts or domain users? Are there any services running on this or another machine (if in a domain) using that account, but a no longer matching password? The same could be the case for stored credentials on another computer in the domain. In this case you could find appropriate entries (if logging of these events is enabled) in one of the Domain controllers security log in a domain scenario. This could tell you also the machine name, which must not always be the expected. Best greetings from Germany Olaf

Both are domain users on domain-joined laptops. I don't have access to the DC logs, though I checked with someone who does and it wasn't apparent what the source machine was for one of the users. For the other user, it appeared to be coming from their machine. ALockout.dll would be perfect because I have full access to the workstations, just not the domain controllers. I used Aloinfo.exe to dump user info for services and tasks on one of the machines and found nothing. Running "control userpasswords2" -> Advanced -> Manage Passwords reveals nothing because the domain doesn't allow windows credentials to be saved, and no other accounts are listed (such as a windows live account, for instance). The problem may be different for each user, especially since we determined that it's definitely coming from the user's machine on one, but can't determine on the other. I turned on NetLogon logging on the local machine for one of them, but it's hard to interpret alot of what is going on. Is there a resource that will help me determine what's going on in the log? That would be helpful. Are there any other tools that I can use to either determine that a process on the workstation is at fault, or rule out the workstation?

Check also ressources like shared folders and printers, if those use wrong account data for connection. Disconnect all network drives and network printers and map them again. Verifying the services is easy, simply look locally in services.msc for the column Log On As (you can even sort this by the column). Any Scheduled tasks on the PC in the affected users context? You could also run into digital signing issues, which makes the authentication handshake with the domain controller impossible. Especially with Windows XP and certain network card drivers we had similar issues, which went as far, that the workstation could not register on a Domain Controller and it's DNS, if he had the default digital signing checking set to always and the workstation as well, or if the DC was set to Digital encrypt or sign secure channel data (always) to disabled and the workstation to enabled. But in this case the computer account was the culprit, not the user account. Best greetings from Germany Olaf