I have a client with a couple users getting locked out every 10 minutes or so. We can see other users generate a 4625 when they type the wrong password. We can see event 4740 when the account is locked out. We can see the timestamp for the last failed login in the lockout tool and verified this by looking directly at the attribute on all DCs in adsiedit.
However, when these users are locked out there is no corresponding 4625 in the security long, nor is there any mention of the user in the netlogon debug log (wiht debugging enabled). I am able to see 0xC000006A entries in the netlogon log for other users who use an incorrect password.
How is this user getting locked out with no 4625 generated?