I'm trying to locate a device that is locking a user's account. Using the downloadable tools, I've found which domain controller locks the account, and from that controller's security log I've found the lock is coming from a CAS server. When I look at the security log on that CAS server, it says the Workstation name is the cas server, so where can I look to see what device is trying to access the server? It doesn't help that the user has a work cell phone, home cell phone, and a tablet all configured to receive his work mail. He says he has turned them all off and the account still locks, but I can't personally verify that.
* When I say "a CAS server", it isn't always the same CAS server.
How can I determine which device is sending the bad password to the CAS server?