Tip: Sometimes, you can see events 4740 (lockout) with caller computer name blank :
For this post, I copied the netlogon log (%windir%\debug\netlogon.log) to my test workstation (C:\Logs )
# Enable netlogon verbose logging on Domain Controller
# Search entries with the username "jsmith"
Select-String -Path C:\Logs\netlogon.log -Pattern 'jsmith'
# Disable netlogon verbose logging on Domain Controller
The issue was that this user changed his password but he left a session (Terminal Server) on a server using his old password.
Terminating the session resolved the issue.