It depends on how you call LogonUser . If you do not specify a domain name, either using the lpszDomain parameter or specifying lpszUsername in UPN format, you will try to log in to the local computer.
Windows clients store cached domain logon credentials for situations where the Active Directory server is unavailable. In this case, the cached credentials will allow the user to log on to the local computer.
Cached credentials are used when using domain credentials for authentication on a computer that is not connected to a domain controller. Each time a domain user logs on to the system, the operating system generates cached credentials and stores them in the operating system security ditch.
According to the Microsoft Technical Account Lockout Policy Overview :
The account lockout policy applies to domain accounts. Account lockout is the interaction between the client computer and the domain controller and implements the following process:
Without seeing my code, I suspect that login attempts occur on the local computer, and not on the domain. They are not taken into account in the blocking policy. This allows the user to enter the domain without problems.
Steve source share