Awesome, thanks for that answer - that's what suspected but wasn't sure, if for some crazy reason they would be stored there besides the users client apps.
I posted because I've been dealing with crazy account lockout issues (Exchange 2013 CU-22) as in an account being locked every 3 minutes - currently pouring through posts on locating the lockout causes when all it shows is the Exchange servers in Event 4740.
I thought maybe a corrupted mailbox or something might be causing the lockouts, but I'm not an Exchange expert by any means so that may be completely ignorant.
Anyhow, It's easy when the Event 4740 points to the device, but almost impossible when the Event is only showing the lockouts coming from the 2 Exchange servers, to which I used ExMon on the Exchange servers to capture user connections.
ExMon showed me a PC, but I cleared that PC of the user's Exchange account, then ExMon only showed connections coming from "Client=MSExchangeRPC" and "none" for the Client IP address.
So now I've found some more tools I can use to possibly see more into what is causing these lockouts.
And I'm going run some health checks.
If anyone has additional input, it is appreciated!