http://jackstromberg.com/2013/03/finding-the-source-to-something-that-keeps-locking-a-domain-user/

Solution: We had to put the domain controller in verbose logging for the netlogon service to actually find out where the logon attempt was coming from.

First, open up command prompt as an administrator and execute the following command:

nltest /dbflag:0x2080ffff

Once done, execute the following command to turn off the debugging:

nltest /dbflag:0x0

This logs every transaction made to the file: %windir%\debug\netlogon.log (note, you need to run notepad as an administrator to read this file).