Situation: Whenever morning, the user has a black screen and can’t login the domain computer. After restarting the computer, she can’t login because the account is locked.
Troubleshooting: The event viewer shows Event ID 40960: The Security System detected an authentication error for the server LDAP. The failure code from authentication protocol Kerberos was “The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
We find the user changed the computer screen save recently and she selects a family photo. We fix the problem by disabling the photo screen save.
Note: You may use some tools to troubleshoot this issue.
Account Lockout Tools
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx
Virus alert about the Win32/Conficker worm
http://support.microsoft.com/kb/962007
Also
•user’s account in stored user name and passwords
•user’s account tied to persistent mapped drive
•user’s account as a service account
•user’s account used as an IIS application pool identity
•user’s account tied to a scheduled task
•un-suspending a virtual machine after a user’s pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541
If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
See this similar thread too:
Event ID 40690 – Accounts keep locking out
http://social.technet.microsoft.com/Forums/en/winservergen/thread/8c684d03-c075-4015-8799-03ee9f1cd853
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/e1ef04fa-6aea-47fe-9392-45929239bd68/