Lock out fixer is a free tool that helps administrators to troubleshoot the locking out of domain accounts. It helps to find out the source of account lock outs by instantly querying event logs written at the time of account lockout. You can also unlock the account in any specific domain controller you want.. It also includes a event log query tool using which you can query event logs generated in any computer at any specific time.
This is how it looks and works:
1)You check the servers you want to query from the list of detected domain controllers, type in a username... Then you can either unlock the account
or you can check for the lockout status...
2) If you check the lock out status, it displays the lock out time, Last bad password time and bad password count for each of the domain controllers you selected... The time displayed is in the time zone of remote computer...You can again check the items you need and query for the audit failure logs that occurred at the lock out time on the selected servers... If the account is not locked, then it will query for the logs occurred at bad password time..
3) There is also a separate event log query tool, which allows you to enter any computer name and check for all the logs.. Again, time should be entered based on the time zone of the remote computer.
How to determine the source workstation using the tool?
Look for the event log results for any log with the username you are checking... You will see the 'Client I.P address' which is the source workstation from which a lock out has occurred...