Users with Windows 2000 clients, in a Windows 2000 native or mixed mode domain, may find that their accounts get locked out with fewer incorrect authentication attempts than the domain's Account Lockout policy specifies?

When the Windows 2000 client user tries to authenticate with a resource, the Kerberos authentication protocol is used. If that fails, NTLM authentication is attempted.

If the user specified an incorrect password, the account is charged with 2 failed attempts, instead of the 1 actual attempt.