I found this great piece of information on the TechNet website, that’s worth posting here. It’s an explaination on how domain controllers check passwords during authentication. I’ve re-written it in my own words to make it dummy-friendly (I like it that way!).
2. DC tries to verify the password. If it works, great! let the client know he’s in. If it did not work, either due to ‘wrong password’, ‘expired password’, ‘password must change on next login’, or due to ‘account lockout’, the domain controller forwards the authentication attempt to the PDC emulator. Since PDC Emulator is always notified whenever a DC changes a password, the PDC emulator will always have the latest password for any user at any given point of time. Hence, the authenticating DC passes the logon info to the PDC Emulator (just in case the authenticating DC doesn’t have latest password yet).
3. PDC emulator retries the authentication. If the PDC emulator operations master rejects the bad password, the password is definitely wrong! The PDC emulator operations master increments the badPwdCount attribute for that user object. The PDC is also the authority on the user’s password validity.
4. PDC Emulator informs the authenticating DC that the password didn’t work.
5. The authenticating domain controller also increments its copy of the badPwdCount attribute for the user object.
6. The authenticating domain controller then sends a response to the client computer that the logon attempt did not work.
As long as that user, program, or service continues to send bad passwords to the authenticating domain controller, logon attempts that failed because of an incorrect password continue to be forwarded to the PDC until the threshold value for incorrect logon attempts is reached (as per your Password Policy). When this occurs, the account is “locked out”.