If its not in the event data its difficult to say what's the root cause, Splunk only reports whats in the logs not the root cause, but that could be elsewhere in some log. That said, its normally m...
See more...
If its not in the event data its difficult to say what's the root cause, Splunk only reports whats in the logs not the root cause, but that could be elsewhere in some log. That said, its normally mistyped password's, bad password, etc. Check the Group Policy settings related to account lockout policies, password policies, and Kerberos policies with the AD admin. Ensure that these policies are configured correctly and not excessively restrictive. What about some malware or Unauthorized Access thats causing it, so it could be a number if things. It might be worth speaking to the user and ask them to show you what they are doing, so you can see and spot any obvious mistakes, they may be doing, I have also experienced in the past, odd keyboard keys/characters / locale settings that are being used could also be the cause.