Protected Accounts membership
The UserLock service maintains a list of all members of every protected account. This member list of all protected accounts is updated every five minutes.
Every time a decision needs to be made, each protected account is search for the user name.
It is thus possible for UserLock to apply modifications to the user access control policy (protected accounts) in real time. If you add or remove a protected account for which members already own open sessions, the new rules will still be effective immediately.
For example, if a user asks you to exceptionally be allowed to work outside their usual allowed logon time, then you may create a new protected account just for them with different 'Hour restrictions' or add them to an existing specific protected account group. Once done, you do not need to request them to logoff/logon to apply the time limit modification - the rules will already be effective without requesting a user action. They can continue working without being disturbed until the new time rules you just adapted are be reached.
As UserLock needs to maintain the member list of each protected account, it includes the following optimization: the 'Domain Users' group will always be considered to include all users of the domain for UserLock, even if some users have been removed from it. This behavior defined by design, allows the treatment speed to be optimized as this group can be huge in large networks and retrieving all its members would be very time consuming.
Please note that Microsoft recommends not removing users from the 'Domain Users' group as this is the Primary group. This action would force domain controllers to manage the member list of this group which would cause the maximum member count to be reached in large networks, and would thus create issues.
Consequence: If you have removed some users from the 'Domain Users' group and this group is defined as a UserLock protected account, you may notice a different behavior in rules enforcement for these users particularly when the UserLock policy is set to the most restrictive.