In case of the account lockout I would suggest you to do the following:
First Identity the Source from where the bad credentials are being getting generated, to do that please create the below mentioned group policy at domain level:
Audit Account Logon Events - Success and Failure
Audit Logon Events - Success and Failure
Account Management - Success
Then Enabled the Netlogon logging on all the domain controllers : Please refer the below mentioned article for this.
Enabling debug logging for the Net Logon service :- support.microsoft.com/en-us/kb/109626
The above article works for all the o/s
Let me know once you all above done.