Protected Accounts membership
The UserLock service maintains a list of all members of every protected account. This member list of all protected accounts is updated every five minutes.
Whenever the UserLock service needs to apply a restriction for a user account, it looks at which protected accounts are affected by that user account.
It is therefore possible for UserLock to apply changes to the access control policy of users (protected accounts) in real time (within 5 minutes). If you add or delete a protected account for which members already have open sessions, the new rules will be effective within 5 minutes.
For example, if a user exceptionally asks you to be allowed to work outside their usual authorized logon time, you can create a new temporary protected account for them (or for a group or OU to which they belong) with different "Hour restrictions". Once this is done, the user does not need to disconnect / connect to apply the modification. The rules will already be effective without requiring action from the user.
UserLock manages the list of the members of each protected account. The groups "Domain Users", "Everyone" and "Authenticated users" will always include all the users of the domain for UserLock, even if some users have been removed from these groups.
Please note that Microsoft recommends not removing users from the 'Domain Users' group as this is the Primary group.