If the user is locked and you unlock the user, you have to wait for your AD environment to converge (replicate) and for Centrify clients to pick-up the change (or issue the adflush or adobjectrefresh commands). Depending on your environment it could take up to 3600 seconds (by default) for changes to be picked up.
Tip:
You can use the adinfo command with the --servername option to see what domain controller your client is looking at. In additon, you can use ADUC (or other tools) that can switch domain controllers to match that domain controller. This way you eliminate replicaiton from the equation.
For tips an tricks go here: http://community.centrify.com/t5/TechBlog/TIPS-A-Centrify-Server-Suite-Cheat-Sheet/bc-p/25707#M410
There is definitely a config file to edit, but the defaults are recommended. Editing the config file will get you in "you must know the implicaitons of what you're doing" situation.
R.P