One of our employees started experiencing regular account lockouts a few weeks ago. The lockouts started soon after a domain password change. At boot, and random times throughout the day, his account would just reach the maximum bad attempts and lock. We checked to make sure he didn’t have any saved credentials under the “Managed Network Passwords” settings of his user account. The few he had didn’t appear to be related, but after a while we went ahead and cleared them all out. We checked all his services to make sure none were using his domain account to start. We also checked scheduled tasks, but none appeared to be the problem. We thought it might be one of his startup applications, so we disabled all his HKLM/HKCU Run and Startup folder items. This didn’t fix the problem. We noticed the account would lockout even before he tried to login, so we were sure it had to be something starting up with the computer (not part of his profile). The event log kept saying the failure was coming from a stored credentials (though we had removed all the ones we knew of). We eventually cleared the registry key where all stored passwords are saved, which also caused us to have to remove and rejoin the domain (machine account password probably got cleared). None of this worked. [more]
We tried to remove all applications we thought might have some old credentials cached. We removed his ThinkPad fingerprint software, disabled his backup software, removed Symantec. When none of this worked, I had him decrypt his drive and remove PGP Desktop (multiple day process). The problems still persisted. We then booted into safe mode (with networking) to see if the lockout would still happen with a bare minimum of services. It didn’t. We ran msconfig to do a “diagnostic startup” (safe mode not in safe mode). We waited at the logon screen to see if the account would lockout. It didn’t, so we logged on and began starting services one by one. (NOTE: msconfig sets services to Disabled, so you must 1) run it 2)set it back to normal startup 3)when prompted to reboot, don’t … then services will be back to their default settings.) We started a few services, then noticed we actually weren’t on the network because the DHCP service wasn’t running. We started all network related services and made sure we were authenticated on the network. We waited to see if what we had brought up so far would cause the lockout. It didn’t. We started working through the rest of the services one by one, and eventually two by two. We finally got to the service “SeaPort”. The service has no description, but research shows it to be installed alongside any Windows Live “essentials”. After starting the service, the account locked out. We played with the service a few times (unlocking, restarting it, unlocking, etc.) to verify it was the problem. We disabled the SeaPort service and rebooted (with everything else set back to “normal”). No lockouts! After a while, we started the service (just to make sure one last time after a clean boot). The account locked out. We permanently disabled the service.