So, if I read this correctly, you've never witnessed this yourself and it continues to happen. Sometimes, immediately after you leave? Is it possible that the user is problematic and can never remember her password? Have you looked in the console to see exactly how many failed logins there are?
AD won't lock an account unless it has failed x number of times over x minutes (set by your password policy). If there is no automated/saved process on the Mac causing this, then all that's left is the user.
In AD there are two types of operations to change a user's password - a change, which can be executed anonymously because it requires the old password as part of the request, and a reset, which does not require the old password and must be done by a user with access to be able to reset passwords for the account being targeted.
In this case, the software application is doing the reset operation, without knowledge of the user's old password but while authenticated as presumably a service account with the needed rights.
From the perspective of AD, the password is being administratively reset; password history is never enforced in this case, since the administrator doing the reset shouldn't know the user's old passwords - if they have a habit of setting the new pass to, say, Thursday1
, having that fail to meet policy on a reset operation would be quite confusing.
While a poor user experience, the best mechanism that I can think of to handle this would be to have the web application reset the password (maybe to something they don't enter, just generated) then set the "must change password on next login" flag on the account to force the user to immediately do a password change operation, which will enforce history.
There's some discussion of using LDAP APIs in .Net to achieve the goal of enforcing history on this kind of reset here, but I'm not sure if this will be an option for you depending on the application you're using; if you control the code and the LDAP library you're using supports controls then it should be doable.
Best Answer
Scan the Security event log on every computer looking for a logon of that user account.