I've discovered a bit more information in regards to my issue.  The user recently reset his domain password to one that he used previously.  Now he's no longer getting locked out and vCenter is registering a successfull login.  Trouble now is I need to find out which application or why he's got a login set up on this server and where it's coming from.  All logs point that the login is coming from within the vCenter Server, but there doesn't appear to be an application or a reason as to why this is occuring, there isn't even a scheduled task within vSphere that is being called.

This issue is really baffling me, I thought for sure with the successful login's that I'd be able to discover the reason.  I've been running process monitor, Wireshark, and process explorer in order to track the logins and applications, but the only thing I've found is the logins, and something called ariliameter on port 62306.  There are multiple entries in Wiresharks logs for this until the users account logs out about 3 or 4 seconds later.

Anyone with any ideas?

Finally found the issue, after months of searching and investigating.

Some history first:

One user within our IT team kept getting locked out of his account on a regular basis.  Initial investigation showed that this was happening from and on one of our vCenter Servers.  But after looking at scheduled tasks and not seeing one that used his credentials deeper investigation had to occur.  First was login debugging within windows, again this proved fruitless. Next I checked the vpxd logs within vCenter and though this showed the logins attempting to occur it failed to show what was calling them.

After a time I resorted to Sysinternals Process Monitor, process explorer and Wireshark.  These did prove a bit more indepth and I could see the failed login attempts, but still no source.

A break came when the user reset his password back to an older password.  The lockouts stopped occuring!

Running process monitor and wireshark again I started tracking down where the login were occuring from.  It appears that over a year ago the company was looking to deploy VMware View across the south pacific (Australia, New Zealand, southern China) and had installed 3 Xangati servers to monitor how the performance would be across several countries from a central point.  After discussing these servers I found that no one was using them and no one knew what the usernames or passwords to login were.  I was told then to go ahead and shut them down.

After an hour of shutting them down the login of the user was to occur again, because it had appeared through investigation to happen at specific times.  At the specified time there were no login attempts on the vCenter server, no records in the Netlogon.txt file and no entries in Wireshark or Process Monitor.

The case was solved!

There is a moral to this story, one that anyone working with any system should take to heart.  Never, ever forget what systems you've used your personal login details to create scheduled tasks.  Always use a service account with a password set to never expire.  Besides, what would happen if you left the company and your account was used to run critical system tasks?  A deleted account would cause these to fail.

TTFN and thanks for those that had a look at this topic.