One of our users gets locked from AD once a week. I have identified the source computer which causes the lockout by checking event 4740 on our domain controller.
By monitoring network activity via Procmon from Sysinternal tools, the only process communicating with our domain controller at the time of the lockout is lsass.exe. I can reproduce the account lockout manually by authenticating with a wrong password and verify that it is indeed lsass.exe which causes the lockout.
1..30 | ForEach-Object {Start-Process calc.exe -Credential (New-Object System.Management.Automation.PSCredential ('DOMAIN\USER', (ConvertTo-SecureString 'aaa' -AsPlainText -Force)))}
How do I analyze the lsass.exe further to find out the application that periodically causes these account locks? I have checked everything else on the target machine that has been mentioned in other articles already, my last hope is debugging lsass.exe. If that is not working, the only other option will be to reimage the client. We have checked everything else and did not find the root cause.
