Hi @Aginash Mannarath ,
The best way to locate the source of these bad password attempts blocking the user account is to find in the DC security event logs for events id : 4740 or 4525.
In the event log you will have the IP address/name of the originating host.
You will then be able to either:
- terminate properly any stale session
- identify were the password was saved and clear it.
Keep in mind that the password may have been save in too many place including:
Scheduled tasks, windows services, web browser, web applications, Windows application, network drive, etc...
There are some good tools available for free that you can use locally on the host once it is identified to check everywhere where the password is saved.
Hope this will be helpful.