We deployed a lockout policy for a client and they had a couple of user accounts that were immediately getting locked out again after we unlocked them. I dug around and tried to figure out what was going on. MS Server doesn't have the best reporting for accounts locking out, but I found a Freeware tool that did a excellent job helping me troubleshoot the issues.
It is called Netwrix Account Lockout Examiner and it is a lifesaver when it comes to trying to diagnose these issues. You can download it here: https://www.netwrix.com/account_lockout_examiner.html
Using that tool, I was able to figure out that the login attempts that were locking the user accounts were brute force attacks coming in on RDP on the desktop machines.
We use non-standard ports other than 3389 for RDP at this client, but they were using the correct port and the correct username for the computers. I used a free 30 day demo of RDPGuard (https://rdpguard.com) to block the incoming brute force attack by automatically adding a deny rule for the originating IP address to the windows firewall. It looks like the 2 ip address it caught were hitting our systems from Russia. As soon as RDPGuard did its job, the accounts stopped locking out instantly.
We have since changed how the users remote in at this client to a much more secure process so we have less of a chance of this occurring again. As we all know, no form of security is absolutely perfect.
Anyways, I will have to look into purchasing RDPGuard for protecting our public facing servers. It never hurts to have an extra layer of security. It can also protect other protocols like ftp, sql, iis and others.
(This is a not a sales pitch for either of these programs. I just like to share tough fixes, and neat tools when I find them.)