In order to search LDAP, the application (CUPC) has to authenticate with LDAP first. A service account was used. This service account was configured in CUPS Admin > Application > Cisco Unified Personal Communicator > LDAP Profile.
Once this service account was locked out, none of the CUPCs would be able to search LDAP.
The strange thing is: as soon as you unlocked the account, it got locked up pretty soon. By looking at Windows Event Viewer (Security Log), you'd see the source was the CUPC computer. You changed the password in LDAP, and changed it on CUPC. But the account still got locked up.
Now you got confused. Since you already "refreshed" the password, why the account still got locked up?
The answer is: the "refresh" didn't get populated to CUPC. Some of the CUPCs were still trying the LDAP with old (wrong) password.
When you change the LDAP profile on CUPS, CUPC didn't get the updated profile (password) until next logon. It'll keep trying LDAP with the old password and keep locking out the account.
To solve this problem, you'll have to logout all CUPC before you unlock the LDAP account.
Sometimes, this is "mission impossible" in a large network where you have hundreds of users.
The workaround is:
1) Create a 2nd LDAP account.
2) On CUPS, update LDAP profile to use the new account.
On step2, you have to make sure you put in the correct information in one shot. If you misconfigured something and tried to correct that, chances are some CUPC might get the wrong info before you corrected it. The loop starts again.