The most common problem I've seen with Active Directory (and, equally, back in the days that it was just "domains", before AD was invented), is this:

Not only does a *user* have an account with the AD server, but the computer does, too.

The computer, if it's a member of the domain, has its own account and password. You can see the computer account in the Active Directory Users and Computers applet.

The thing is, no one ever understands this because they never have to type the computer's password. That's negotiated automatically with the AD server when it joins the domain, and at regular intervals thereafter. It's all under the hood.

The problem crops up any time you re-image one of the client machines. Here's how it works:

- You create a client computer.
- You join that client computer to the domain.
- Client computer negotiates, with the AD controller, its machine account password under the hood.
- Client says "Welcome to <domainname>" and asks you to reboot.
- You use the computer and it works for a while.
- You decide to create a backup image of the working system.
- You use that computer for a while. Weeks pass.
- Under the hood, at regular intervals, the client computer is re-negotiating a fresh machine password with the AD controller.
- Weeks later, something goes wrong, and you restore the computer from its imaged backup.
- That imaged backup contains the old machine password and tries to authenticate with that password.
- Server sees the machine attempt to authenticate with the bad machine password and locks out the machine (and thus whatever users are trying to authenticate from that machine).

Only solution is to delete the computer's account in the domain, set the computer to Workgroup, then set the computer back to domain and have it renegotiate a new machine password.

Is there any chance that's what happened to you?