If you have multiple servers and are remoting to them regularly/irregularly, you may have a user session active on one of the servers, if you forgot to log out, but just disconnected (RDC).
Then at some point you change password and the old session still have stuff that tries to authenticate with the old password from that session, but not constantly, just irregularly.
This can cause your admin-account to become locked at irregular/illogical intervals.
Solution (with a minor but described further down) is to log back in to the servers to have the password updated in the session.
Best to remember to log off servers when work is done though.
My colleagues and me have chased our tail multiple times over the years trying to find the culprit location.
On some older server versions this task in Task Scheduler may be responsible:
Optimize Start Menu Cache Files-{xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}
Sometimes I also suspect this task on newer systems:
User_Feed_Synchronization-{xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}
Which is an Edge (or previously IE) feed update task. No clue why Microsoft chooses to have this set up as a task that runs under (especially admin) users by default.
It seems the task retains the original logged in credentials, so when user is disconnected and then updates password on domain, this disconnected session still runs with the old credentials.
The User_Feed task runs about once every 6-7 hours under "active" (aka logged in; but also disconnected) users, which is helping delay the actual lockout-time, which helps infuriate us when searching for the problem.
But I have also noticed that the problem sometimes continue even after "refreshing" the credentials with a new login (even with a full logout/login) after password change.
I suspect that the tasks under task scheduler does not always "refresh" the used password at login and causes lockouts anyway. Not sure how or why, as it SHOULD use the current session windows password.
The alternative solution to this problem is to just delete the two mentioned tasks. They are not system critical (afaik).
I say delete, not just disable, because I tried disabeling yesterday, but something had reactivated the task again today... So delete might be the best option.
Time will tell if the task is recreated automatically, in which case I'll see if I can find out how to prevent that from happening.
Or it could be another task that was set up under the user with old credentials.
Other times it has been a saved network credential on some computer.
- To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager Control panel.
- Select Web Credentials or Windows Credentials
We now use Netwrix Lockout Examiner, which is great for pointing us in the right direction of our search for culprits. :)
(Just had this problem over the past 2-3 days. And found out via the Examiner that I was still logged in to three of our servers after I had changed my admin password a couple of days ago, so three servers with User_Feed triggered about every 6-7 hours "randomly" triggers the lockout)