Hi Neil,
There are some tools available from Microsoft which helps you troubleshoot
account lockout issues.
You can download the tools from the following URL:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-
8629-B999ADDE0B9E&displaylang=en
The filename is ALTools.exe and it contains the following tools:
AcctInfo.dll. - Helps isolate and troubleshoot account lockouts and to
change a user's password on a domain controller in that user's site. It
works by adding new property pages to user objects in the Active Directory
Users and Computers Microsoft Management Console (MMC).
ALockout.dll. - On the client computer, helps determine a process or
application that is sending wrong credentials.
Caution: Do not use this tool on servers that host network applications or
services. Also, you should not use ALockout.dll on Exchange servers,
because it may prevent the Exchange store from starting.
ALoInfo.exe. - Displays all user account names and the age of their
passwords.
EnableKerbLog.vbs. - Used as a startup script, allows Kerberos to log on to
all your clients that run Windows 2000 and later.
EventCombMT.exe. - Gathers specific events from event logs of several
different machines to one central location.
LockoutStatus.exe. - Determines all the domain controllers that are
involved in a lockout of a user in order to assist in gathering the logs.
LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for
specific Netlogon return status codes. It directs the output to a
comma-separated value (.csv) file that you can sort further, if needed.
NLParse.exe. - Used to extract and display desired entries from the
Netlogon log files.
Use these tools in conjunction with the Account Passwords and Policies
white paper, which is available at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
HTH
Ashok
This posting is provided "AS IS" with no warranties, and confers no rights.