My problem today, was that some donkey was logging on to server using a service account, and getting the password wrong and so locking the service account out!
So you can check on the server itself in the security log for event id 529. The hope is that this will show a Source Network Address.
What you can then do is use the following command with the Source Network Address to find the donkey that is using the computer and so locking the account out!
WMIC /NODE: <IP or hostname> COMPUTERSYSTEM GET USERNAME
This should return the username currently logged! How cool is that?!