On a small network of machines (<1000) we have a user whose account is being locked out after an indeterminate interval following a password change.

We are having severe difficulties finding the source of the invalid logon attempts and I would appreciate it greatly if some of you could go through your thought process and the checks you would perform in order to fix the problem.

All I know for sure is that the account is locked out several (5+) times a day, I can't even be sure it's due to failed login attempts as there is no record of failure until the account is locked.

So far I have tried;

• Logging the account out of everything we can think of and back in with the new password
• Scanning the user's box for any non standard software which might perform an LDAP lookup
• Checking all installed services on our production boxes to check none are attempting to run under the account
• Changing the user back to their old password (Problem persists so perhaps password change is a red herring)
• Wireshark on a box where lots of LDAP authentication is performed - Rejects only occur after account is already locked out
• Clearing the credential cache in - Control Panel -> User Accounts -> Advanced
• Looking at the local

I'm at a loss for what to try. I am happy to try any suggestions you have in order to diagnose the issue. I think my question boils down to a simple request;

I need a technique for deriving the source (Application/Host) of the invalid login attempts which are causing the account to be locked.

I'm not sure if that's even possible but I suspect there must be more I can try.

Many thanks,

CityView