I'm surprised at how many people don't seem to know about the Account Lock and Management Tools by Microsoft. When I work in an environment that doesn't have some expensive third party AD management tools this is my go to and it's really simple to use. It doesn't get quite to the level of some other tools but it points you in the right direction!
Typically, I'll unlock my account so I can work. I'll keep the AD Tool open, pointed to my account or whatever account is having the issue and refresh it every 10 minutes or so. Pretty quickly I notice a bad password attempt getting registered under the Bad Pwd Count column. You may notice you see bad attempts against more than one Domain Controller, this is because it will reflect on your primary DC.
Eventually, I'll notice which DC my account got locked on. You don't have to wait for a lock to occur to figure this out. If you ran the tool when an account was already locked, you'll most likely see something similar as in the above screenshot right away.
The beauty here is that I can right click on ADDC03 right in the tool and view the Event Viewer logs!
From this point, If I go to the Security logs and check for Audit Failure events around the time of my user's last bad password attempt and grab the IpAddress from the event details, nine times out of ten, that'll point me right to the service causing the lock. Just do an nslookup and you'll have the hostname of your culprit.
In some cases this could be a machine I left myself locked on but not logged off. It could be an application like an IM service that is using my old cached credentials or any number of things. Either way, this tool can help tell you what that is.
Happy hunting!
