Spent countless hours resetting an OKTA AD service account due to it constantly becoming locked out. Ultimately the problem was the OKTA service account was a member of a group that was connected to the Domain Admins group via 3 or 4 nested groups.
FINISH THIS STORY HERE.