Why doesn't a user get locked out after a number of invalid password attempts greater than the domain account lockout policy?

We have an account lockout policy of 5 bad password attempts but we're seeing users presenting bad passwords up to several thousand times in the span of 15 minutes.

I'm concerned about whether the policy is active or if we have a possible brute force password attack being attempted.

 

After investigating this closer we determined the following:

  • The account lockout policy was working just fine, as a couple of attempts to log on using an incorrect password proved
  • Some users were using multiple mobile phones or devices but had neglected to update the passwords on them for a couple of months
  • The maximum age of the passwords in the domain was 180 days

To minimize the problem of false account lockouts - Microsoft added an N+2 feature sometime during the latter half of Windows Server 2003's lifecycle. This means that if the password you're entering is either the previous password or the password before that then the attempt doesn't increment the bad password count attribute (badPwdCount) of the user.

This also means that the users were in the possession of devices that weren't taking no for an answer and simply retrying authentication ad infinitum (note: Windows Phone doesn't do this).

So no brute force attacks were being performed, the passwords being presented several thousand times to the DC's were simply coming from bad, bad devices.
The users of said devices will also run into problems the third time they change their password....as the mobile device (a.k.a. unintentional DOS device) will then be autolocking them again faster than you can unlock them.

Further details:

Account Lockout and Password Concepts
http://technet.microsoft.com/en-us/library/cc780271(v=ws.10)

 

To improve the experience for users and to decrease the overall total cost of ownership, Microsoft made the following changes to the behavior of domain controllers in the Windows Server 2003 family:

  • Password
    history check (N-2):
    Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history, badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error.