With introduction of password policies it often comes to problems with locked out accounts. Typical scenarios for account lockout are forgotten but open RDP sessions and application stored passwords. If users change their password and RDP sessions or application with stored passwords try to authenticate with wrong credentials. This force the increase of account lockout threshold. If the threshold is reached the user is unable to perform any kind of action.
The account must be unlocked. To identify the source computer for locked out accounts behavior you can use the „LockoutStatus“ utility provided by Microsoft. The utility scans all Domain Controllers and show this one who have locked out the user. On this Domain Controller you have to filter the security log for the event id 4740. This event contains the caller id computer. This is the name of the source computer for account lockout.
