Welcome to ask here!
Usually, for troubleshooting account lockout issue, we should follow the general troubleshooting steps below. For your reference:
- Enable audit policies for each DC then gather audit event from PDC. Check the vent 4740.
To configure the audit policy under
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management]
- According to the audit events on PDC determine which clients or DCs sent the failed authentication request. If the failed authentication request was sent by a DC, then we should gather the audit event on the DC. So, we can find out which clients sent the BAD password.
- After we get the workstations IP, then we need enable Audit Logon Events – Failure and Audit Process Tracking for this client, then analyze the event log to find out which process or apps send the BAD password.
Note: we need increase security log size before we enable audit. It will overwrite previous log when the security log size is so small.
Feel free to let us know if you have any questions about the information provided.
If there are any updates, welcome to share here!