Hello,
An account lockout threshold of three is too low. This will cause nothing
but trouble for you and your end users. It would also make it very easy
for some to hit you with a denial of service attack against your domain
accounts. i.e. Someone uses a password crack tool against your network and
locks out ALL of your accounts.
I do not recommend having lockouts set less than ten is a Windows 2000/2003
domain.
What you are seeing is normal behavior. Here is an explanation from 264678.
When the client tries to authenticate the user with a resource, Windows
2000 first uses the Kerberos authentication method. If the
Kerberos attempt does not succeed, the client then tries the Windows NT
challenge/response (NTLM) authentication protocol. Each of these methods
presents the user's credentials for authentication purposes. Therefore, if
a user specifies an incorrect password, the user's account is "charged"
twice for one authentication attempt.
Netlogon logging tracks only NTLM authentication attempts. To track
invalid Kerberos logon attempts, you must use
Kerberos logging.
There are lots of other strange OS and application settings that can cause
multiple failed logons added to your lockout count.
Here is some random examples.
818078 Your User Account May Be Prematurely Locked Out
http://support.microsoft.com/?id=818078
276541 Unexpected Account Lockouts Caused When Logging On to Outlook from an
http://support.microsoft.com/?id=276541
More information...
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx#XSLTsection125121120120
Hope this helps,
IBTerry [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.