I thought I start of this blog with adding helpful scripts and tips I get to use.
Here is the first and a very helpful tool from MS
- RunĀ LockoutStatus.exe.
- Enter the username and find out which of your DCs was the source of the lock (“Orig Lock” column) and when it happened (“Lockout Time” column).
- Examine the Security log on the DC at that time and you will usually be able to pinpoint it to a specific machine.
- Once you have the machine it’s usually:
- User has a scheduled task running in their name and their password has changed.
- User has a disconnected RDP session.