99% of the time it is a bad password but you need to find out where it is being used. It can be from another machine the user uses occasionally and forgot about, where he mapped a drive to another machine using credentials (password) that has now changed. Each time the machine needs to refresh with the domain it tries to reconnect to that resource with the last credentials used.
Look for a service or scheduled job or script using their id and it could be trying an old password.
It could be a VMWare image that has just been started back up with old credentials.
The fact it is every morning would indicate a machine that is up all night. If your bad password policy is set low (3 bad tries)it would probably show up pretty fast. If it is set high (30) it could be slower to show itself.
Does the person uses external email access (Blackberry). I recently had a user who forgot they had set up a "BIS" account with their provider and used their work id and password to allow access to his work email system. 60 days later when the password expired and the user changed it, the external provider account was still trying to use the old pw, and it began locking the domain account every time it tried to sync up.
Do not believe your end user when they swear they are not using any other machine or they have no services set up to run with their account, they usually "forget" about them. Keep digging and understand how this person uses their account in order to determine where it can be coming from.
Do they have OWA from the outside into your internal email system? They may have left a home machine connected with old credentials.
Even muffed tries on unlocking your screen saver can contribute to your bad pw count.
![[smarty]](/data/assets/smilies/smarty.gif "[smarty] [smarty]")
Hard work often pays off over time, but procrastination pays off right now!