Hello All,
Alright, I’ve done everything I can think of and am hoping someone has a thought for me.
We have a user whose AD account gets locked daily after recent password change (which is sometimes expected right). I’ve ran a report against all computers that the user was signed into and had them sign out of them and restarted those PCs. The issue was still persisting.
I then ran a script against all computers online, took the hostnames, imported that into a powershell script to parse the Security logs to see if there were sign-in attempts / account lockout status' and the results came back to the only 2 PCs they have been using. These are logged out of and restarted nightly.
I am still continually seeing bad password attempts and can’t figure out where they are coming from. When I log into the domain controller to see if there was any activity, or security logs, it shows nothing. When I run the lockoutstatus.exe, it shows lastbadpwd attempts but again nothing in the security logs of the domain controllers.