I recently worked with an admin user from one of our clients. Her account kept locking out each Friday @ 6 PM. I checked Netwrix and found the server that was locking the account. This was also in the event viewer on the domain controller. I checked the credential manager on that server for any cached accounts and found none. I checked the task scheduler and there were no scheduled tasks. I checked the event viewer to verify the lock out, and found the account was trying to connect to a CIFS share.
The fix was to run this command as an administrator on that server: 'rundll32 keymgr.dll,KRShowKeyMgr'.
This will open a "Store User Names and Passwords" window. In that window, I found the user ID that was locking and removed it.