Recently, the domain account of the department director is often locked, and total unlocking is not a solution. It is necessary to determine which device triggered the domain lock account.
There are many ways, I will only say one. Use POWERSHELL method.
Go to the domain controller and run the command: Get-WinEvent -FilterHashtable @{logname='security';id=4740}
Hehe, you will see a lot.
Then you definitely want to see who caused it.
Use the following POWERSHELL command
Get-WinEvent -FilterHashtable @{logname='security';id=4740} | fl
You will see the Caller Computer Name, and by this value you can find out which computer is causing it.
If someone in your company maliciously guessed someone’s password, you can find the computer account, and then the computer account can find out who is doing bad things.