Hi Folks,
I'm having a problem with a user's account being locked out about once per day. This user is my boss's boss, so the pressure to find a solution is somewhat higher than normal.
We are currently testing different smartphones prior to a roll out, and this user has 2-3 of them which he carries and uses at present. I have enabled security auditing for the domain and am seeing 4740 events in the logs, but the difficulty lies in the fact that the 'Caller Computer Name' field is always blank in the event, hence I am not able to determine the device which is causing the problem. If the problem was the user's desktop machine, I feel confident that that workstation name would be listed as Caller Computer, hence I am fairly certain that the problem is one of the smartphones. The problem is, how do I determine which one?
I have gone through all devices that he's currently using and verified correct operation of the Activesync client and wifi connections. All function correctly and I have reset the password on each to be sure. Still the problem persists.
In reading over other posts here, it seems as though the standard mantra is install the account lockout tools and run lockoutstatus.exe to gather more information on the issue. These tools were originally built for win2k\2k3 and we are at 2k8, but apart from that, nowhere do I see that running these tools will help me to identify the source device from which the lockout occurred. I already know the user who is locked out, the time at which it occurred, and the domain controller which locked the account out.
How can I discover from which device the bad passwords are originating?
Thanks for any help,
Ian