Started noticing that few AD accounts are getting locked out within Active Directory where the source, as per the monitoring reports shows that the TMG Servers of your environment, which is working as a reverse proxy for mobile clients.
An account lockout occurs after several failed authentication attempts that are made by incoming web proxy or web publishing requests (for example, an ActiveSync device that has a user’s old password saved).
To track it , go into Log & Reportss in TMG Array and find out failed authentication attempts information below.
- Run Forefront TMG 2010 console
- Select Logs & Reports item on the left pane
- Select Logging tab on the center pane
- Select Tasks tab on the right pane
- Select Edit Filter under Logging task
The TMG logs cannot be used to identify the source of the request hence still you are not able to find any denied connection and device detail which may casing the account locking problem.
By default, the change in behavior is not enabled, and the following script should be run to enable the new behavior. After you enable the new behavior, TMG will log the username that is associated with a failed logon attempt in the Username field as follows, instead of being logged as Anonymous:
domain\username (!)
Go thro with the below KB article to enable script for search failed login.
http://support2.microsoft.com/kb/2592929
Now you can see the below logs report which shows the several denied connection.
You can also see more information about device expanding “Additional Information” section into one of the log
All about Microsoft 365 & Teams 
Leave a Reply