An account security policy in most businesses requires mandatory Active Directory user account lockout if the password has been entered incorrectly n times. Usually an account is locked for several minutes (5-30), when a user can’t log in the system. In some time defined by the security policies, the account is unlocked automatically.
Active Directory Account Lockout Policies
The account lockout policy is usually set in the Default Domain Policy for the whole domain. The necessary policies can be found in Computer Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy. These are the following policies:
- Account lockout threshold is the number of attempts to enter the correct password till the account is locked out
- Account lockout duration is the period of time during which the account is locked out (when this period is over, account lockout will be removed automatically)
- Reset account lockout counter after is the time to reset the counter of the failed login attempts
A temporary account lockout allows to reduce the risk of guessing passwords (by brute force) of AD user accounts.
The situations when a user forgets his/her password and causes the account lockout occur quite often. But in some cases the account lockout happens on no obvious reason. Then the user swears that he/she has not made any mistakes while entering the password, but his/her account has become locked somehow. The administrator can unlock the account manually by the user request, but in some time it happens again and again.
In this article we’ll demonstrate how to find which computer and program caused the Active Directory account lockout.
How to Find a Computer from Which an Account Was Locked Out
First of all, an administrator has to find out from which computer / server occur failed password attempts and goes further account lockout. The event of the domain account lockout can be found in the Security log on a domain controller. Filter the event with the ID 4740 in the security log. 
So, we have found an event that indicates that some account (the account name is specified in the string Account Name) is locked (A user account was locked out). Name of the computer from which a lockout has been carried out is shown in the field Caller Computer Name. In this case the computer name is TS01.
Note. If there are several domain controllers, the lockout event has to be searched in the logs for each of them. Also you can subscribe to the events on other DCs. This task becomes easier with Microsoft Account Lockout and Management Tools (you can download it here). With this tool, you can specify several domain controllers at once to monitor the event logs looking for the number of failures to enter the correct password by a certain user. 
How to Find Out a Program That Causes the Account Lockout
So, we have found from which computer / device the account was locked out. Now it would be great to know what program or process are the source of the lockout.
Often users complain of their account lockout after the planned change of their domain account password. This prompts that the older/incorrect password is saved in some program, script or service which regularly tries to authorize in the domain using the previous password. Let’s consider the most relevant cases when a user could have saved his/her older/incorrect password:
- Mapping a network drive via net use (Map Drive)
- In the tasks of Windows Task Scheduler
- In Windows services run from the domain account
- Data saved in the Credential Manager in the Control Panel
- Browsers
- Mobile devices (e. g., those used to access the corporate mail service)
To perform a detailed lockout audit on a selected machine, a number of local Windows audit policies should be enabled. To do it, open a group policy editor gpedit.msc on a local computer, on which a lockout source should be detected, and enable the following policies in Compute Configurations -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:
- Audit process tracking: Success , Failure
- Audit logon events: Success , Failure
Wait till an account is locked out again and find the events with the Event ID 4625 in the Security log. In our sample, this event looks like this:
As you can see from the description, the source of the account lockout is mssdmn.exe (a process which is a component of Sharepoint). Now you only have to inform the user that he/she has to update his/her password on the Sharepoint web portal.
After the analysis is over and the reason is detected and eliminated, don’t forget to disable the activated group audit policies.
I followed the event id 4625 but it doesn’t tell me what app is causing the login attempts. also, no cellphone email, any idea?
Great solution and explanation.
Well summarized !
I find almost the similar article which provides step-wise instructions to identify the source of account lockouts : https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory
After filtering for EventID 4740>General [TAB]> “Additional Information: Caller Computer Name: __________” . Log onto “fill in the blank” servername> open <Task Mgr>Users> Log-off all instances of affected userID.
Great It was a big help
In my case the culprit was: Print Spooler service on the computer the lockout originates. After restarting it (Print Spooler), the problem dissapeared.