The vulnerability could allow a malicious user to use repeated attempts to guess an account password even if the domain administrator had set an account lockout policy.