Try this solution from http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/e1ef04fa-6aea-47fe-9392-45929239bd68

从http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/e1ef04fa-6aea-47fe-9392-45929239bd68试试这个解决方案

Microsoft Support found the problem for us. Our domain accounts were locking when a Windows 7 computer was started. The Windows 7 computer had a hidden old password from that domain account. There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.

Download PsExec.exefrom http://technet.microsoft.com/en-us/sysinternals/bb897553.aspxand copy it to C:\Windows\System32.

From a command prompt run: psexec -i -s -d cmd.exe

From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr

Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.

Microsoft 支持为我们找到了问题。我们的域帐户在 Windows 7 计算机启动时被锁定。Windows 7 计算机具有该域帐户的隐藏旧密码。有些密码可以存储在 SYSTEM 上下文中，而在普通的 Credential Manager 视图中是看不到的。

PsExec.exe从http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx下载并将其复制到C:\Windows\System32.

从命令提示符运行： psexec -i -s -d cmd.exe

从新的 DOS 窗口运行： rundll32 keymgr.dll,KRShowKeyMgr

删除出现在存储的用户名和密码列表中的任何项目。重新启动计算机。

I think this highlights a serious deficiency in Windows. We have a (techincal) user account that we use for our system consisting of a windows service and websites, with the app pools configured to run as this user.

我认为这凸显了 Windows 的一个严重缺陷。我们有一个（技术）用户帐户，用于由 Windows 服务和网站组成的系统，应用程序池配置为以此用户身份运行。

Our company has a security policy that after 5 bad passwords, it locks the account out.

我们公司的安全策略是在 5 次错误密码后锁定帐户。

Now finding out what locks out the account is practically impossible in a enterprise. When the account is locked out, the AD server should log from what process and what server caused the lock out.

现在，在企业中，找出锁定帐户的原因实际上是不可能的。当帐户被锁定时，AD 服务器应该从哪个进程和哪个服务器导致锁定。

I've looked into it and it (lock out tools) and it doesnt do this. only possible thing is a tool but you have to run it on the server and wait to see if any process is doing it. But in a enterprise with 1000s of servers thats impossible, you have to guess. Its crazy.

我已经研究过它和它（锁定工具），但它没有这样做。唯一可能的事情是一个工具，但您必须在服务器上运行它并等待查看是否有任何进程正在执行此操作。但在拥有 1000 台服务器的企业中，这是不可能的，您必须猜测。这很疯狂。

We just had a similar issue, looks like the user reset his password on Friday and over the weekend and on Monday he kept getting locked out.

我们刚刚遇到了类似的问题，看起来用户在周五和周末重置了他的密码，而在周一他一直被锁定。

Turned out to be he forgot to update his password on his mobile phone.

原来是他忘记更新手机密码了。

You need to make sure that the clocks on all your servers are correct. Kerberos errors are normally caused by your server clock being out of sync with your domain.

您需要确保所有服务器上的时钟都是正确的。Kerberos 错误通常是由您的服务器时钟与您的域不同步引起的。

UPDATE

更新

Failure code 0x12 very specifically means "Clients credentials have been revoked", which means that this error has happened once the account has been disabled, expired, or locked out.

失败代码 0x12 非常明确地表示“客户凭据已被撤销”，这意味着一旦帐户被禁用、过期或锁定，就会发生此错误。

It would be useful to try and find the previous error messages if you think that the account was active - i.e. this error message may not be the root cause, you will have different errors preceding this error, which cause the account to get locked.

如果您认为该帐户处于活动状态，那么尝试查找以前的错误消息会很有用 - 即此错误消息可能不是根本原因，您将在此错误之前出现不同的错误，从而导致帐户被锁定。

Ideally, to get a full answer, you will need to reactivate the account and keep an eye on the logs for an error occurring before the 0x12 error messages.

理想情况下，要获得完整答案，您需要重新激活帐户并密切关注日志，以了解在 0x12 错误消息之前发生的错误。

I have seen this problem when the user had set up a scheduled task to run under his account. He forgot to update the password on the task after he changed his account password. The scheduled task was trying to logon with the old password and kept locking out his account.

当用户设置计划任务以在他的帐户下运行时，我已经看到了这个问题。他在更改帐户密码后忘记更新任务的密码。计划任务尝试使用旧密码登录并一直锁定他的帐户。

May be the virus by name CONFLICKER try d.exe tool from symantec on the machine hope your problem will be resolved. Check the security logs in domain controller and scan those machines because of this virus it creates bad passwords and lock the users.

可能是名称为CON​​FLICKER 的病毒在机器上尝试使用symantec 的d.exe 工具希望您的问题得到解决。检查域控制器中的安全日志并扫描这些机器，因为这种病毒会创建错误的密码并锁定用户。

Download Microsoft Account Lockout Tools. Use LockoutStatusto find the last DC that didn't pre-authenticate the user that is having issues. Note date and time. Log into that DC, find that timeframe and check Client Address. Logoff from those servers.

下载Microsoft 帐户锁定工具。使用LockoutStatus找到最后的DC未预先进行身份验证是有问题的用户。记下日期和时间。登录该 DC，找到该时间范围并检查客户端地址。从这些服务器注销。

Finally i found my problem. SQL Reporting Service was causing my account lockout. Stop and try, after confirm no more passwords bad attempts i should reconfigure reporting services service account ---Not at Service Properties, it is in Reporting Service own config--.

最后我找到了我的问题。SQL Reporting Service 导致我的帐户锁定。停止并尝试，在确认没有更多密码错误尝试后，我应该重新配置 Reporting Services 服务帐户 ---不在服务属性中，它在 Reporting Service 自己的配置中--。

If your computer is on a domain, you can see Windows Password Rescuer Advanced, http://www.daossoft.com/documents/how-to-reset-windows-domian-account-password.html

如果您的计算机在域中，您可以看到 Windows Password Rescuer Advanced，http://www.daossoft.com/documents/how-to-reset-windows-domian-account-password.html