I am trying to debug which places (configuration files) the user credentials are mentioned in a Windows server to run various services. This is required to since password for the user changed now and the user is trying to authenticate with old password , which in turn locks the account since it is invalid credential.
I thought to check log of all users in the server (what activities are performed by users) and than filter out activities from the particular user to check which place that user is trying to authenticate.