There should be an event that was logged which indicates the reason the account was locked – Ramhound – 2018-05-17T12:07:04.227

You start in the security log which will show failed login attempts which will lead you to where the logins are coming from. Then based on that you solve the problem. Could be an external entry point in your network that is being attacked or a service or scheduled task on a workstation/server that is running as the user with a wrong password. – Appleoddity – 2018-05-17T12:07:45.440

IIRC correctly, by default, only successful logins get logged. I'd get "lockoutstatus" from microsoft, which should show you which DC is locking the account, and create a GPO that makes failed login attempts go to the log. This will be noisy, you might want to disable it afterwards. – Patrick R. – 2018-05-17T12:24:30.760

In my experience, this often happens because the user changes their account password but forgets that they are still logged into another computer somewhere else within the same domain using their old credentials. This causes their account to become locked-out repeatedly until you find their older sessions and they logoff. Search the Security logs within the Event Viewer on a Domain Controller and filter for Event ID 4740. That will show you the other computers where that problematic account still has an older session. – Run5k – 2018-05-17T12:52:47.133

It has been several days since we heard from you. Have you made any progress? – Run5k – 2018-05-21T17:27:23.287