Incorrect password passed to LogonUser() but the Active Directory account is not locked as expected

Question

I have Active directory "number of logon retries" = 3. We call LogonUser function 5 times with the wrong password. After that I call LogonUser with right password and it works, and the user can login.

Why is the account not locked out?

Answer 1

This depends on how you call LogonUser. If you do not specify a domain name, through either the lpszDomain parameter or by specifying the lpszUsername in the UPN format then you will attempting to login on the local machine.

Windows clients store cached credentials for domain logins for situations where the Active Directory server is not available. In this case, the cached credentials will allow the user to logon to the local machine.

Cached credentials are used when using domain credentials for authentication to a computer that is not connected to a domain controller. Each time a domain user logs on, the operating system generates the cached credentials and stores them in the Security hive of the operating system.

According to Microsoft's Account Lockout Policy Technical Overview:

Account lockout policies apply to domain accounts. Account lockout is an interaction between a client computer and a domain controller and implements the following process:

Without seeing your code, I suspect that the login attempts occur against the local machine, not the domain. These don't count towards the lockout policy. This allows the user to logon to the domain without a problem.