My admin account got locked out again. I thought I fixed this issue and posted an article at http://www.itreliable.com/wp/its-really-odd-ad-admin-account-got-locked-by-configuration-manager-health-evaluation-job/ But something still caused the issue, not as often as it was. I checked the time it happened and I found this event in the Event Viewer.
Subject: Security ID: S-1-5-18 Account Name: DC201$ Account Domain: AD Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-2-234-23423423424-44XYXYX024 Account Name: myadminaccount Additional Information: Caller Computer Name: DC101
The called computer is a DC in different domain. I didn’t logon the server at the time. Then I logon that computer and check event log. I found Event ID 40960.
Source: LSA(LsaSrv)
Event ID:40960
Computer: DC101.ABC.LOCAL
The Security System detected an authentication error for the server HTTP/ut123.ad.abc.local. The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
But I don’t think I or anybody attempted to logon any server at the time. Then I saw another event log recorded 5 minutes before this one.
Source: Security-Kerberos
Event ID:14 The password stored in Credential Manager is invalid. This might be caused by the user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential ad\myadmin
So the credential manager is the place to check. But I saw no any credentials after I opened Credential Manager from the control panel. It must be hidden!
I finally find an article talking about the same issue at https://social.technet.microsoft.com/Forums/ie/en-US/e1ef04fa-6aea-47fe-9392-45929239bd68/securitykerberos-event-id-14-credential-manager-causes-system-to-login-to-network-with-invalid?forum=w7itprosecurity
There are passwords that can be stored in the SYSTEM context that can’t be seen in the normal Credential Manager view. Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .
From a command prompt run: psexec -i -s -d cmd.exe
From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr
Now I could see the stored User Names and Passwords. I used it to install SCCM client a long time ago. It matched the event log that it was trying to contact the SCCM server when my account got locked.
Removed it and restarted the computer. Problem solved!