Windows Server 2019, single domain
We have a user that mysteriously locks out several times a day. I can watch the account status with the LockOutStatus tool from the ALTools provided by Microsoft however I cannot find the source of the authentication failures. When I look in the logs for event 4625 there are 10 events there for a different user, never more than those 10 events. This is across two domain controllers, even when the LockOut tool shows failed login attempts for the problem user.
There are sites that suggest turning on failure auditing in the GPO for the domain controllers however the GPO is set to "Success,Failure" so technically speaking what we need there is enabled.
What else can I try to find out where these failures are originating from? I am about to download a trial version of ADAudit Plus to see if that tool can help find the problem.