My Question is WHY and HOW does a disconnected terminal server session (likely using cached credentials or expired key/session) cause a bad password event (ID:529).
I had an account locking out, and SOLVED the problem. I have read the technet topic "Troubleshooting Account Lockout":
http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
I have read Abhijit Waikar's answer to "Windows 2008 R2/User account locked out numerous times a day":
http://social.technet.microsoft.com/Forums/windowsserver/en-US/ab1b8429-2cd1-4a1f-b276-950e5f41f23e/windows-2008-r2-user-account-locked-out-numerous-times-a-day
I have read and used the tools presented at:
use Account Lockout and Management Tool.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
Also Netwrix has got good tool to find out account lockout.
http://www.netwrix.com/account_lockout_troubleshooting.html
Troubleshooting Account Lockouts the PSS way
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
I have either missed or the information was not presented to exactly WHY and HOW a disconnected terminal session locks out an account.