The NT_STATUS_ACCOUNT_LOCKED_OUT means the account in the Active Directory have the 'mark' password expired or its account is locked.
It can be also a local account has the same name like a domain account, but different passwords
The Windows computer came up with a fresh boot.
ΒΆ Resolving a locked AD account
In a Windows Server, there is a short back-and-forth between the client system, the client system's domain controller, and the domain controller holding the Primary Domain Controller (PDC) emulator role. This occurs as follows:
- Whenever user account authentication is attempted, the credentials are sent to the appropriate domain controller for the client system's subnet.
- if the password is incorrect, the client system's domain controller forwards the request to the domain controller holding the PDC emulator role. This is because the domain controller on the client system may not have the most recent password, while the domain controller holding the PDC emulator role always does.
- The PDC emulator tries the password again and if it is still wrong, the PDC emulator increments the badPwdCount attribute of the user account.
- An event ID 4740 is generated on the PDC emulator with the IP address of the client system that initiated the initial request and with the user account.
- The PDC emulator then informs the client system's domain controller that the password is, in fact, wrong.
- The client system's domain controller then informs the client system that the password is wrong.
Using PowerShell run the command
Get-ADUser [user] -Properties badpwdcount,lockedout
As [user] is the account.
