This is an automated archive.
The original was posted on /r/sysadmin by /u/Haulinbass_2001 on 2024-01-22 15:42:00+00:00.
Corporate reached out about a local user of mine's account locking just about every hour. They are using "pop a lock" script to unlock it automatically. They supposedly did some troubleshooting and passed it to me. I checked her cached creds, etc. I turned off her PC and logged her out of a shared PC, that was all I could find with the tools I have. Still the account locks. I suggested the mobile phone, the guy in Corp. said they don't authenticate against the domain, huh? I know they can lock out accounts. The screen shot they sent has EventSource which is blank, IP and Origin IP are both IPs for the DCs. Any ideas on narrowing this down?