Analyzing Logon Failures with missing Client Information
Trying again because my first post with question still sits "Awaiting moderation" after nine days ...
Our ADAuditPlus Server reports for one of our users more than 80k logon failures per day with reason "bad password". The failures occur very regularly, twice every two minutes except for a daily gap from 22:45 to 23:00. The user himself is noticing nothing out of the ordinary. All of his accesses work. Also, the account is not being locked even though we have automatic lockout configured after three bad password attempts, which I verified to work correctly if the user actually enters a bad password three times in a row.
ADAuditPlus reports both Client IP Address and Client Host Name as "-" on these events. The "Logon Service" column reports MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 for these events while other, "normal" logon failures show krbtgt/<ourADdomain> there.
The Logon Failure Analyzer reports:
"Caller Machine is not part of any configured domain(Caller Machine Name: -)"
How would I go about to identify the source of these failures?