I am running AD on Windows Server 2003 and made sure our account lockout policy is set to 5 attempts before an account gets locked. It works on any Windows computer running XP/Vista/7/8, but the problem lies when trying to connect to the domain account on a Mac. The Mac user only has one attempt to get their password correct, otherwise the account will be locked out. This happens to all of the Macs we have.
Any help would be greatly appreciated, thanks!
OS X can have trouble sometimes with actually authenticating against active directory. It is therefore storing them as off-line accounts, and it may appear they are authenticating with the AD, when it is not necessarily true. It may be authenticated against a stored hash. If this is the case, lockout won't work, as it is never actually hitting the active directory server to see if you are indeed locked out.
One of the things we found to fix the problem was to set a custom search path. There is an apple message board thread about this bug, that I can't seem to find right now, but basically, manually adding your Active Directory domains in Directory Utility fixes the issue, and if I remember correctly confirming creation of mobile accounts. If I find the post, I'll update this.
