cohda-34.txt - P1 2025-11-20 Michal's AD account keeps locking. (ID:34)

20/11/25
========
Refer His AD account for log of locks.
He has a PC at home that may be trying to connect which he will shut down. I dont think this is the issue as it is failing authentication.
Will try and capture source IP of failed logins and block the source.

21/11/25
========
Account locked again.

24/11/25
========
Michal advised he had disabled the work computer at home. No account lock since.

27/11/25
========
Michal advised he couldnt log into SVN. Account was locked again.

10/2/26
=======
Michal's account was locked. AD wasn't showing it as locked. 
11:31 Sent him "Account lock issue..." email suggesting he resync his laptop at home by locking/unlocking. Also asked for the CW??? name of the machine he has at home.

12/2/26
=======
Michal's account was locked again. AD wasn't showing it as locked. 
10:44 Replied all on the "Account lock issue..." email send on the 10th.

16/2/26
========
Michal's account was locked again. AD wasn't showing it as locked. He advised that he had locked/unlocked his computer at home as I suggested. AD wasn't showing it as locked.
Unlocked his account, but he found it was locked 15min later. He said he has shutdown the computer at home.

17:71 Email from Michal advising his computer at home was not a Cohda machine.

17/2/26
========
10:15 Replied to Michal. We can rule his laptop at home out as a cause. Its not in the domain and its turned off.
10:57 Michal advised account was locked.

23/2/26
=======
Michal's account ws locked and so was the Supp0rt account!

31/3/26
=======
Michal advised account was locked.
Haven't been capturing each account lock, but its occuring most days. Michal has advised his has isololated his computer at home.
Will look at raising a ticket with Iocane.

1/4/26
======
Michal advised account was locked. logged ticket 05513232 with Iocane...

Hi Iocane Support,
 
I would like to raise a ticket in regard to Michal’s (mrzard) AD account regularly locking for no apparent reason…
-This issue started back in October with the occasional lock, but is now occurring on an almost daily basis. I have seen it lock almost as soon as it has been unlocked.
-Presumably, there is a process trying to authenticate using his credentials, but I’m not 100% sure how to fault find this. Ie track source address of failed logins. I believe these get logged in the Event viewer in AD?
-His password was not changed prior to this issue starting, which rules out a machine that has been logged in using his account looking to regain network access.
-He does have a machine at home which he uses for VPN access, but this has been used recently and has connected successfully.
-I have not 100% ruled out a nefarious activity attempting to access via the VPN. The testing I’ve done, shows that after a number of failed login attempts via the VPN will lock the account. However, we are running 2FA.
 
Any advice on how to get to the root cause of this will be appreciated.