We just started getting intruder lock-out on account xxxxxx.xxx.xxx

The 333D58C6 is the internal IPX number of the server. The account is
one of the users that used to be an administrative account and could
have been tied to some process. Severity is 1 Locus = 17 Class = 19

How can we determine which server process is causing the problem?
Arcserve is running on this server but should be using a newer dedicated
user account but could have reverted to the older account.