I had a similar problem in our environment. I had around 80 UNC Repositories which used a domain user account for both download and replication credentials. We did some troubleshooting and opened a ticket at our partner but didn't find the cause of the problem. I still think it could have been, that some clients tried to authenticate with outdated siteList information. Because the problem started to appear after we added and deleted some repositories.
To get around this situation we switched most UNC Repositories to SuperAgent Distributed Repositories. The SADRs in my opinion work more reliable than UNC repositories. We still have 5 UNC repositories. The locked user situation disappeared after switching around 70% of our repositories.