User's AD accounts keep being locked automatically. I'm confident it isn't the obvious problem with users typing in the wrong password repeatedly.
Whenever this happens the System log in Event Viewer is full of messages like:
Event ID 8005 The browser has received a server announcement indicating that the computer X is a master browser, but this computer is not a master browser.
Event ID 8009 The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is X.
Event ID 8019 The browser was unable to promote itself to master browser. The browser will continue to attempt to promote itself to the master browser, but will no longer log any events in the event log in Event Viewer.
I'm assuming the two are related, but am having trouble finding anything to back this up.
Browser election messages and locked accounts might have some similiar dodgy network connectivity root-cause, but they're not related.
Here's a decent article about troubleshooting the Computer Browser service that's causing your browser election messages: http://support.microsoft.com/kb/188305
As far as the locked user accounts go, I'd suspect that the user has either a cached credential somewhere (wireless Ethernet authentication via PEAP, the account being used as a service user context, /SAVECREDS on a client computer, etc) that has an old password specified.
Troubleshooting account lockout isn't too fun. Have a look at Microsoft's article here for starts: http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx You need to have the right amount of security logging enabled on your domain controller computers to correlate the lockouts with real-world events (starting a given computer up, starting a service, etc). There are some tools that can help collect the event logs from multiple domain controllers and aggregate them to find the cause of the account lockouts (see http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E) since the events will be distributed across the security logs on, potentially, all domain controller computers.
The long-and-short of account lockout troubleshooting is that you need to turn up your security auditing and start researching what's happening in the real world when the lockout event occurs.
I agree with Evan that that two issues (browser elections and accounts get locked out), could be related, but I wouldn't put them in area of them both being definitely related. You may want to look at this previously posted question in regards to Accounts getting Locked out, as it may help you find the cause to the issue at hand.
Thou shall not run a service as thy user account.
Which users? Admins? Regular lUsers?
This person seems to have other theories:
http://www.sakana.fr/blog/2007/02/27/active-directory-user-account-repeatedly-locked-for-no-reason/
One odd thing we discovered with a couple of users had to do with them being setup under user accounts. Once we removed them from being explicitly setup the issue cleared up. It only affected 3 or 4 of our 500 users so we are still not certain why that was the case. Most of the time it was people setup to have debugger user rights instead of regular user rights but that might be a red herring.