If you are experiencing an issue with an account locking out you need to find the source of the lockout. Microsoft has a nice tool for combing multiple event logs.

You can find the tool in the Account Lockout and Management Tools pack here: http://www.microsoft.com/en-gb/download/details.aspx?id=18465

1. Once you have downloaded and extracted the files, right click eventcombMT.exe and “Run as administrator”

2. Right click in the “Select to Search box” and go to “Get DCs in domain”

3. Next go to Searches\Built in Searches\ Account lockouts

This will put in the event id numbers you are looking for. If you have 2008 or 2012 DCs you will need to add Event Id 4740 to the list or the newer DCs won’t report back any data.

4. Finally go to Options/Set Output Directory and change the log location to a more suitable location such as c:\logs. The default is the Temp directory

5. You are now ready to run the tool. Click Search

6. Once the tool is finished combing the logs it will create a file for each DC in the domain. You can search the logs for the username you are troubleshooting to reveal the IP address/Hostname of the source server or workstation where the lockout originates.

For Example I found this in the log for my username:

675,AUDIT FAILURE,Security,Wed Apr 23 09:15:05 2014,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: james.white     User ID:  %{S-1-5-21-116214888-187446557-618671499-10971}     Service Name: krbtgt/domain.com     Pre-Authentication Type: 0x0     Failure Code: 0x19     Client Address: 172.16.0.24     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9

Reference:

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Troubleshooting-Account-Lockout.html