We have a user that keeps getting locked out and I can;t seem to trace the source of the logins.
Using the account lockout tool I can see that the user is hitting two domain controllers, the PDC and a secondary (used for ADFS). Checking the event log on the PDC ir ports that the source of the login was from the secondary DC, checking the event log on the secondary DC I see ::1 listed as the IP address the request is coming from. This would suggest that the login request is coming directly to the secondary DC.
As this is an ADFS server servicing login requests for Office 365 SSO i wonder if the user may have a device trying to check email at regular intervals with an old password, does this sound feasible?
Or does anyone have any other ideas on what this could be?
Drac