SourceTree does not appear to properly keep track of authentication failures, and will retry indefinitely, which will eventually cause the user's account to be locked out. (This is especially insidious when the account in question is a domain account, because it can prevent the user from e.g. connecting to a ticketing system to request assistance with the lockout. Or logging into the workstation where SourceTree is running in order to terminate it.)
This problem has been noted elsewhere (but read on; I have new information):
https://community.atlassian.com/t5/Sourcetree-questions/User-account-getting-locked/qaq-p/1502118
https://community.atlassian.com/t5/Sourcetree-questions/Account-Lockouts/qaq-p/1062928
Looking at the Process Log (Process Viewer in the Tools menu) shows two curious things:
1. Repeated `git fetch` invocations with Caller Context = "GetFetchProcesses".
These all have the same output:
fatal: Cannot prompt because user interactivity has been disabled.
fatal: Authentication failed for 'https://our-local-bitbucket-server/scm/plat/repo.git'
This suggests that GetFetchProcesses -- or whatever invokes it -- is failing to track that the authentication request failed, and suppressing automatic fetches afterwards. This is exacerbated by the following problem:
2. I see `git fetch` invocations for _dozens_ of projects that I don't even have open!
SourceTree seems to be automatically issuing fetch calls for repositories that have been used in the past, even they are not currently open.
This means that if stale credentials are stored for _any_ repository that SourceTree knows about, SourceTree will eventually trigger a lockout on that account.