The only thing that would lock their account is if they entered their password incorrectly. Check the account lockout settings in the default domain group policy. See if the policy is set to require an admin to unlock the user's account -- if the account lockout duration is set to zero, then users must contact an admin to have their account unlocked.
You should also look at the account lockout threshhold (how many failed attempts before the account is locked) and the reset lockout counter (the time the user must wait before the lockout is lifted and they can try their password again).
You can also look at the Security logs in Event Viewer on both the computer the user tries to log in on, and the domain controllers the users authenticate to.