Troubleshooting Account Lockout (Technet)
Account Lockout and Management Tools
Account Lockout Status (LockoutStatus.exe)
SCOM Alerts & Audit Collection Services
You should be able to setup an event collection on the Security event log for that lockout and a few other events so that you get an alert. Here a just a few events that you could alert on to help monitor that account. Event ID 531 : Account disabled Event ID 532 : Account expired Event ID 535 : Password expired Event ID 539 : Logon Failure: Account locked out Event ID 644 : User account Locked out
These article have a pretty good list of other security event id’s that you can alert on as well.
I liked your way of presentation. The information you provided is great, Thank you for this, and hope in future you will come with more knowledgeable information.
Check this and finish this problem http://farisnt.blogspot.ae/2014/02/why-ad-user-account-locked-out.html
As an option take a look at Netwrix Account Lockout Examiner, it involves a lot less of legwork. It's much more advanced version of ALTools from Microsoft and it's also completely free. The product automatically checks event logs on DCs, shows source IP
or computer name, connects to that computers, checks if there are any processes running under that accounts (services, scheduled tasks, RDP sessions etc) and shows them all.