Help in finding account lockout source

Since changing passwords a couple of weeks ago I have an account that
keeps getting locked out. In the past when this has happened the event
viewer gave me the IP of the offending computer; this time it appears
that the domain controller itself is the one locking the account. I
have checked all services and scheduled tasks with no luck. I followed
all the account lockout troubleshooting steps and have gotten a bit
more information but I am still not able to find the source. Here is
the event log error:
A Kerberos Error Message was received:
on logon session FQDN\dcname$
Client Time:
Server Time: 23:51:33.0000 5/24/2006 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: krbtgt/DOMAIN
Target Name: krbtgt/DOMAIN@DOMAIN
Error Text:
File: e
Line: 6bc
Error Data is in record data. (the data names the account in
question.)

My kerberos debug log says this:

1168.748> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC
logon session for 0:0xb666e, accepting 0:0x3e7
1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
acct@domain
1168.3104> Kerb-Error: KerbCallKdc failed: error 0x18.
d:\nt\ds\security\protocols\kerberos\client2\logon api.cxx, line 1715
1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
acct@domain
1168.3104> Kerb-LSess: KerbFindCommonPaEtype using current password of
acct@domain
1168.3104> Kerb-Warn: KerbFindCommonPaEtype using old password of
acct@domain
1168.3104> Kerb-Error: GetAuthenticationTicket: Failed to build
pre-auth data: 0xc000006a.
d:\nt\ds\security\protocols\kerberos\client2\logon api.cxx,

Anyone have an idea of where to go next?

I have been facing the same issue since last 20-30 days. we have been
trying to work with Microsoft support but they event din't provide us
any solution.
if you resolve your issue please let me too in resolving the isssue.

have you tried to use netlogon debug logging?
http://support.microsoft.com/?id=109626

start at the PDC fsmo, which will tell what DC and that DC will tell what
server/client and then search the client/server for batch scripts, scheduled
tasks, services or anything else that uses an account in the domain

I have tried this, the Netlogon logs make it appear that the lockout is
coming from the domain controller itself.

The netlogon debug produces:
05/30 11:07:09 [MAILSLOT] Received ping from DC.DOM.COM (null) on
<Local>
05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM cache is too old. 1988266
05/30 11:07:09 [MAILSLOT] NetpDcPingListIp: DOM.COM: Sent UDP ping to
192.168.19.46
05/30 11:07:09 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to
DC2.dom.com
05/30 11:07:09 [MISC] NlPingDcNameWithContext: DC2.dom.com responded
over IP.
05/30 11:07:09 [MISC] NetpDcGetName: DOM.COM using cached information
05/30 11:07:09 [MISC] BEND: DsGetDcName function returns 0:
Dom:CI.BEND.OR.US Acct:(null) Flags: PDC IP

here are some event logs:

Pre-authentication failed:
User Name: user
User ID: DOM/user
Service Name: krbtgt/DOM
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1

Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=domain,DC=com
Handle ID: -
Operation ID: {0,28754813}
Process ID: 1112
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: DC$
Primary Domain: BEND
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY

try what is specified here:
http://www.eksternkompetanse.no/blog...1b787f5cb.aspx

Well I found it by sheer luck and coincidence. One of the techs called
me about an DHCP address reservation and as I was poking around the
server config I looked at the Advanced tab and then the credentials
button. Sure enough there was the offending account. I was having
trouble with Dynamic DNS and used this account to troubleshoot and
forgot all about it; sloppy administration. You would have thought
that somewhere in the logs it would have mentioned DHCP. It was also
why sometimes it would take an hour to lock the account (later in the
day) and sometimes it would lock in 5 minutes (in the morning).
Thanks for trying! Hopefully this will help someone.
Steve

my problem still presisting, i have enable the audit log and here is the one
below, please help me in resloving this issue.it is the issue accounts are
getting locked.

[JeremyL]

I have been trying to track this issue down for some time, with most web posts telling me to ignore the 350+ errors I got every day. Then I came across this post and it turned out to be my issue exactly- Just wanted to chime in and say THANKS STEVE!!!- Your post definitly helped me, and I'm sure lots of other folks who've been at a loss to explain their event logs.

[Yankee]

Do you realize that what you have mentioned....Literally no one, no-one on the darn internet, I'm talking technet, petri, every site out there and no one had this as a solution. I know because I have been putting up with this for over a year!

This was caused by following Microsoft's Best Practices and changing the default Admin name. After this was done I would get THOUSANDS of 672 Errors a day. I didn't just put it back because we had an admin leave and I had to change the password anyway, which as I tested, also caused this error apart from the name change. Long story short, I just set aside another 8straight hours today to again tackle this issue and this was the last article I came across...

Much Thanks!

[Pacerfan9]

After we changed a user account I had the same problem as well. Seeing the failure comming from 127.0.0.1 was a real puzzler. Thanks for posting you question AND solution!