We have an account lockout policy of 5 bad password attempts but we're seeing users presenting bad passwords up to several thousand times in the span of 15 minutes.
I'm concerned about whether the policy is active or if we have a possible brute force password attack being attempted.
After investigating this closer we determined the following:
To minimize the problem of false account lockouts - Microsoft added an N+2 feature sometime during the latter half of Windows Server 2003's lifecycle. This means that if the password you're entering is either the previous password or the password before that then the attempt doesn't increment the bad password count attribute (badPwdCount) of the user.
This also means that the users were in the possession of devices that weren't taking no for an answer and simply retrying authentication ad infinitum (note: Windows Phone doesn't do this).
So no brute force attacks were being performed, the passwords being presented several thousand times to the DC's were simply coming from bad, bad devices.The users of said devices will also run into problems the third time they change their password....as the mobile device (a.k.a. unintentional DOS device) will then be autolocking them again faster than you can unlock them.
Further details:Account Lockout and Password Conceptshttp://technet.microsoft.com/en-us/library/cc780271(v=ws.10)
To improve the experience for users and to decrease the overall total cost of ownership, Microsoft made the following changes to the behavior of domain controllers in the Windows Server 2003 family: