Are cached credentials protected by account lockout policy when your laptop is disconnected from the corporate network?
The answer is No because account lockout policy is not applied when your computer is disconnected from the corporate network. That's because account lockout policy is enforced by the domain controller that holds the PDC Emulator role and not by some local mechanism on a domain-joined computer.
If that's the case then, what's to stop someone who has stolen a corporate laptop from performing a brute-force attack to obtain the user's domain credentials from the locally cached version of these credentials?
The answer is BitLocker! Since cached credentials are vulnerable to offline attack when the computer is disconnected from the domain, the only way to protect cached credentials is to use BitLocker to encrypt the entire system drive on the computer. All corporate laptops running Windows 7 should have BitLocker enabled on them to protect against any form of offline attack should they be lost or stolen.
Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.