Should I be able to log into a locked out active directory account by disabling internet connectivity?

My active directory account just got locked out. On a whim I unplugged the ethernet cord and turned off the wifi radio switch and I was able to log into my account. I plugged the ethernet back in and then tried to RDP to another computer on the network and got the "your account is locked" message. So I ctrl+alt+del locked my active desktop session again and tried to log in. once again got the "your account is locked" message. Then I unplugged the ethernet cord again and was able to log in to my session.

Is this intended design of active directory?


Yes. With network connectivity you'll attempt a login to the domain and fail because your account is locked out. Without network connectivity you'll log on to your computer with cached credentials.

This is by design.


To add to joeqwerty's answer, this is by design for people who may travel or be away from the domain without any access, be it through VPN or other method, back to the local domain. It is also by design for several other reasons, but your credentials do get cached and then used in this instance. When you unplug your ethernet cable you probably noticed that it took a lot longer for the login to work because it first tries to go out to hit a DC; three times actually. Once it fails to reach a DC it logs on with cached credentials.

Something else to note that might be of help is that it will cache the last two sets of credentials, meaning you and one other AD account.