When I was a new Sys Admin, this one took me a while to figure out the first time, so hopefully this saves the next new sys admin some time.
If you have a user account that persistently is getting locked out for seemingly no reason it can be a bear to figure out. Typically, this event is not occuring locally on someones workstation, but rather somewhere on the network. Of course, most of us know by the time we get our first sys admin gig to check the event logs, and that the Domain Controller would have a record of login failures. Some may even take the next logical step and think, the DC has gotta have a record of who got locked out and why…. Which is actually true, but there is one small trick, rather than look exclusively for login failures, you’ll want to check the security log for successful lock outs. Meaning, AD successfully locked out the account. The event code for this event is 4740 which should make it easy to filter the logs for this event. What you’ll find extremely helpful in this event is the “Additional Information” which will show you what computer locked the account.
In my experience, 9 out of 10 of these seemingly random lockouts are caused by people not closing their RDP sessions. Typically just having them log into the machine and close their session usually solves the problem, if not, well at least you know the machine that is *likely* causing the problem. If you’re looking for a long term solution into this problem, you could put a GPO in place to close idle RDP sessions after so many hours.