Ever get locked out of your own domain? Do your users get locked out because they logged into some PC in a remote office aeons ago and the PC has not been restarted since, so they are still logged in with their old credentials? Usually this kind of thing happens after a password change, and it can be a pain in the *** to identify which PC is locking you/user out.
Thankfully, in Windows Server 2008 and later, you can search the Event Log/Windows Logs/Security for event ID 4740 (narrowing the filter to search only the last 12 or 24 hours speeds up the process) and you should see the log entry to let you know that the account locked out.
In the entry, the Caller Computer Name is the culprit PC that needs investigating as it is locking the account out.
It could be some service running on there with incorrect credentials, or it could just be logged into Windows and came out of suspension with incorrect credentials, or the account is tied to a mapped drive...
Note that you have to enable Audit Account Management success through local DC policy or GPO on the Domain Controllers (which may be enabled by default, not sure). Instructions on how to do that are here: http://www.morgantechspace.com/2013/11/Event-ID-4740-A-user-account-was-locked-out.html
The links below go into more detail and also show how to set up email notifications to email you when the lockout event happens.
