Domain Accounts can get locked out if the account password is changed but a previous logon to a box somewhere remains.
To locate the box which still has a logon, logon to a domain controller and filter the security log for events IDs 4740. Account lockout events will reveal which computer has a logon which is causing the lockout.
