Hello ​@frank.colvin 

A good place to start with account lockouts is the lockout event on DC running the PDC Emulator role.

You need to look for Event 4740 and the "Caller Computer Name:" will show where the account got locked out.
If the caller is your U3 appliance it could be Password Safe attempting to login with a bad password.
If the server you were mapping a drive to is listed in "Caller Computer Name" that could indicate the password was saved in a persistent connection. 

Here is a sample lockout event from a  DC running the PDC Emulator role.

EventID            : 4740
MachineName        : BTSupport-DC01.BTSupport.INT
Data               : {}
Index              : 8054594
Category           : (13824)
CategoryNumber     : 13824
EntryType          : SuccessAudit
Message            : A user account was locked out.

                     Subject:
                         Security ID:        S-1-5-18
                         Account Name:        BTSupport-DC01$
                         Account Domain:        BTSupport
                         Logon ID:        0x3e7

                     Account That Was Locked Out:
                         Security ID:        S-1-5-21-3598600114-3846692426-3237543614-1203
                         Account Name:        rdp2

                     Additional Information:
                         Caller Computer Name:    BTSupport-SQL01
Source             : Microsoft-Windows-Security-Auditing
ReplacementStrings : {rdp2, BTSupport-SQL01, S-1-5-21-3598600114-3846692426-3237543614-1203, S-1-5-18...}
InstanceId         : 4740
TimeGenerated      : 2019-12-03 8:12:02 AM
TimeWritten        : 2019-12-03 8:12:02 AM
UserName           :
Site               :
Container          :

I guess I failed to mention that the event viewers are showing the account lockouts are occurring from these two appliances and like in your example it doesn't say what process is locking it out. FYI there is no corresponding action in the event viewer of the offending appliances. 

What events were you looking at?
The first event you should look at for lockouts is the SuccessAudit Event 4740 on the PDC Emulator?

If the  "Caller Computer Name" was your U3 appliance it means a process on the appliance attempted to connect directly to AD with a bad password x times. That would rule out most services and mapping a drive. 
If you mapped a drive with an incorrect password and that caused a lockout the Caller Computer would be the server with the share you were mapping to.
I would check Managed Accounts and Functional Accounts in Password Safe first.

Other places that can store account passwords.

/appliance
Proxy Credentials
Log File Export
SMTP Authentication
Session Monitoring Archive
Backup Location Network Path

/WebConsole
Functional Account
Managed Account
Directory Credential
Proxy Settings
Discovery Management Credentials

There are also other places in the underlying OS of the appliance like Scheduled Tasks, Services and Credential Manager and such that can also store credentials.

As I have stated we know the computers that are locking the AD account out, we have already checked all of those. there is nothing tied to my frcolvi account. as I stated earlier this account has only been used to access the webui for password safe or to map a drive while rdp’d to the appliance. how would you check /webconsole?

Hello ​@frank.colvin 

/appliance is all the configuration areas that can store a credential if you login to https://fqdn/appliance
/WebConsole is all the areas in BI \ Password Safe that can store a credential.
If you have already checked all of those areas and cannot find your account configured it will be difficult to find the cause. 
To narrow things down you could try and figure out what service is contacting a domain controller using a tool like TCPView from Microsoft which does not need to be installed.
https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview
Boot up your appliance and make sure its out of the load balancer so no AD users login.
RDP to the desktop of the appliance and copy over Tcpview.exe and put in C:\temp
Start Tcpview.exe and unlock your AD account. 
When your account locks go to File | Save and save to csv. You may want to be quick to save before the connection times out.
This should show all connections.
Filter the csv to show only Remote Address’s  that belong to your Domain Controllers.
If a BT service is connecting you could look closer that that service. 
If its SYSTEM or some other windows service you will need to look there. 

In the end if the appliance is just a worker node it may be quicker to redeploy a new image.

you mention “/appliance is all the configuration areas that can store a credential if you login to https://fqdn/appliance
/WebConsole is all the areas in BI \ Password Safe that can store a credential.” but that isnt helpful, can you be more specific please?

Sure thing. 

From the message above if you login to /appliance

You can set credentials in these places
Proxy Credentials
Log File Export
SMTP Authentication
Session Monitoring Archive
Backup Location Network Path

or if you login to /WebConsole you can set credentials in these configuration areas
Functional Account
Managed Account
Directory Credential
Proxy Settings

thank you, I have checked all of these places and my ad account is not set on any of them. our organization has 5 servers and only 2 of them are locking this account. with that said would any of these settings be locking out an AD account from just 2 of these 5 servers?

Anything set in /appliance would be specific to that node so that could be the cause of an account locking on a specific node.

The configuration in /WebConsole would be common to all nodes but still worth checking. 

ok I do not believe it would be in web console as if that were the case the lockouts would continue when the two offending appliances were turned off.

correct?

That is correct