Hi there,
we currently have the problem that certain user accounts are regularly locked, sometimes every minute. Using the event IDs 4740 (‘user account was locked out’) and 4771 (‘kerberos pre-auth failed’) on the domain controllers, we can only narrow down the source to the Exchange servers. From there on any trace is lost. The Exchange servers have already been checked, also all hardware used by the user (laptop, smartphone) has been checked several times, no old account or credentials could be detected on any device.
Users are slowly losing patience (understandable), but I or rather we are slowly running out of ideas. Next up is an MS case, but even then we will probably spend several days / weeks (depending on the quality of the MS supporter) fighting with this problem.
Maybe you have an idea, which IDs can be checked or if and how something can be evaluated on the Exchange servers to get to the bottom of the source of the blockings.
Any idea is appreciated.