BleepingComputer.com: User account being locked out without user ever logging on

This is what the security log looks like most mornings. It's only in the last 2 days that the user has been locked out when starting the workday.

I've heard it could be outlook, stored passwords, something to do with adobe... There seems to be no consensus as to what could cause these types of errors. Looking at this, can anyone give me a better idea of what to hunt for when resolving this problem?

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3512


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3514


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3516


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3518


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:03 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:03 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 539
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Account locked out
 	User Name:	[user]
 	Domain:	NCU
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID: 476
 	Transited Services: -
 	Source Network Address:	10.1.x.x
 	Source Port:	3521


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Do they have a mobile phone that gets domain email? If the password is configured incorrectly on the phone e.g. ActiveSync it will lock them out if a lockout policy is enforced.

This post has been edited by phoeneous: 20 October 2009 - 09:45 PM

They do not. We don't allow mobile devices connected to network resources like that.

Have you read this? Seems to answer your questions

MS says disable the welcome screen and use the classic logon.
All computers in the domain use a classic logon instead of the XP welcome page that displays local accounts. That occurs as soon as a computer is joined to the domain.

Obtain latest service pack for Server 03
We're already running Server '03 with SP2. With the exception of the latest releases from MS' patch day this week, we should have everything current for SPs and hotfixes.

Apply the hotfix that is mentioned in this article to the Windows Server 2003-based member computer.
Did I miss the link for the specific hotfix? I saw links for "how to download the latest service pack," but I keep reading for a link to a hotfix... and I can't see it.

Disable auditing, disable the welcome screen
Can't disable auditing, that's CIO's word on that one, and I can't change that.

The welcome screen, as above, is disabled when each computer joins the domain. The classic logon is used.

Well upon reading that, would you agree that it is an OS issue ant not a networking issue? Perhaps asking in the OS section would be better?

Which OS? Is it more a server issue that's registering credentials wrong? Or is it an XP issue that a machine is giving passwords wrong automatically somewhere? I see the errors, but I'm still not sure which side the problem is originating on: something with AD, or something with the user's computer?