In nDepth, if UserLogonFailure is showing
EventInfo: Logon Failure "myDomain\johnD" InsertionIP:SalesPC1
Does this definately mean that JohnD tried to logon to the SalesPC1 and failed?
Check also the SourceMachine and LogonType fields, they can provide you more insight. If the LogonType is showing "Windows: Interactive" (or Cached Interactive or Remote Interactive) those are all direct logons. If it's a Network logon or other type, the SourceMachine should show you where they are attempting from (it might be something like someone accessing a share on SalesPC1, not logging on directly).
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.