Hello @Joomla
You should look at the logon type. It is usally due to a bad cached credential or a stored credential for some specific access. The one that the user introduces would be the "Interactive Logon", while other codes such as Network Logon or Service, are related to stored credentials.
Hope this helps with your query,
--
--If the reply is helpful, please Upvote and Accept as answer--