I recently began troubleshooting an issue with our Domain Account Lockout policy which appeared not to be working. It turns out, that the policy is working and a few accounts will actually get locked out.
However, many of the accounts in my domain never have the "Bad Pwd Count" attribute increment over 1 - no matter how many bad passwords they enter.
Dumping the badpwdcount value for all the users in the domain shows a mix mostly of 0 & 1.
The 0 & 1 values do not correlate with the account's ability to increment the badpwdcount. (Some 0's & some 1's will increment over 1, while some of each will not increment over 1.)
We are testing the badpwdcount increment with random characters - nothing that should be in the PWD History [N-2] and hence excluded from incrementing the attribute.
I am at a loss to explain why some account have their badpwdcount attribute incremented and some do not.
Any suggestions on further troubleshooting/solutions?