Each domain controller in a Windows NT 4.0 network maintains an independent count of failed user authentication.
Replication does not occur until the account lockout is tripped.
When an user logs onto a workstation, pass-through authentication occurs over the secure channel. If the logon attempt fails, due to incorrect credentials, the validating domain controller adds 1 to the Bad Password count.
When a NET USE command that requires pass-through authentication is used, a failure to authenticate password adds 1 to the Bad Password count, on the validating domain control.
When a user connects to a UNC that requires pass-through authentication, the process is identical,
EXCEPT that the Multiple UNC Provider (MUP) repeats
the process 3 times, resulting in a failure adding 3 to the Bad Password count on the
validating domain controller.