Guest And Administrator Account Locked From User Workstation

Guest And Administrator Account Locked From User Workstation

Overview/The Question
Our employees start work at 8:00. I got two notifications about accounts
being locked out at 8:02, just before a user logged into her workstation.
One notification was for DOMAIN\Guest and the other for
DOMAIN\Administrator. (We run a Server 2008 R2-based network, user
workstations are a mix of windows 7 and xp. This workstation was 7.)
As my username suggests, I'm more of programmer than a sysadmin. I'm
scrambling to determine:
How likely is it that I've been comprimsied?
What are some things I should check?
What steps should I take from here? (Degree of auditing to enable,
particular events to watch for, etc.)
The Log Message
The following two times. (Once for administrator, once for guest)
Source: Microsoft-Windows-Security-Auditing
Event ID: 4740
Security ID: NT AUTHORITY\SYSTEM
AccountName: DC#
AccountDomain: DOMAIN
LoginID: 0x3e7
Account That Was Locked Out:
Security ID: NCD\Administrator
Account Name: Guest
Caller ComputerName: USERS_WORKSTATION
Environment
Network protected from internet by watchguard.. no ports are open
Logmein installed on some comptuers
LabTech installed on network
Investigation So Far
The domain Guest account is still listed as being disabled. However,it's a
member of all kinds of privileged groups, like Domain Admin. It's possible
I set up the group memebership, but this is suspicious. Questions from
this:
Can you get a lockout message from a disabled account, or does the lockout
message mean account was enabled?
Looking at the attributes for Guest, badPwdCount=15, and it's listed as
being changed right at the time the lock message came, making me thing it
was somehow unlocked before that... any way to find out when it was
un-disabled (aka enabled)?
Questions
Any standard things I should be checking or steps I should be taking?
Standard auditing policies to put in place going forward?