If the Agent was not installed on a Domain Controller, everything worked fine. As soon as the Agent was installed on a DC member server, lockouts would occur.
We tried uninstalling / reinstalling the agent thinking something was corrupted in the Agent on Domain Controller servers, but that didn't help.
Release: 8.6
Mismatched NTLM settings between client and AD servers.
Some NTLM settings were different for the Domain controllers from the rest of our clients. Making these match resolved this issue.