Wow, we've been wrestling here for the past 2-3 months with clients which were randomly getting intruder lockouts. I just found a fix, and wanted to post it so if anyone was searching they would find it.
These started trickling in originally, then after we deployed Symantec AV CE v9 we would daily have 5-10 accounts with mystery lockouts, usually while a user was authenticated and using resources.
As it turns out, disabling NFAP (Native File Access Protocol for Apple, CIFS/Samba/Microsoft, and NFS) on our Netware servers was the cure.
I believe the root of the problem was that the SAV login script, referred to the UNC \\SAVServer\SAV, to deploy/update the clients. This was causing Windows to go through its Network Provider Order to negotiate a connection to this UNC resource.
We had Netware as the first network provider (Network Connections > Advanced Drop Down Menu > Advanced Settings), but on Windows PCs, unless DFS is disabled through a registry hack, it is ALWAYS the first provider attempted regardless of the Network Provider Order.
Note, disabling DFS on ADS machines will cause problems, as ADS requres access to \\Domain Controller\Sysvol, which can ONLY be accessed through DFS.
Whatever workstation or domain login was being used to access the resource through DFS did not have the password synced with Netware, so after the third attempt, the account was locked. (We've got failed logins before Intruder Lockout set to 3)
However, the client was already authenticated so the current session was allowed to continue until the workstation locked or the user logged out.
Oh well, hope this helps someone.