Yah, I suspect you've hit the LocalAdminFallback behavior. Basically,
pGina has always had a catch to allow members of the local
administrators group to login irrespective of what the plugin stack
says - otherwise if you mess up your stack ... you're hosed (though
safe mode *might* help in some circumstances).
Here's the comment in the code
(
https://github.com/pgina/pgina/blob/master/pGina/src/Lib/pGinaTransactions.cpp)
:)
// If we failed, and the 'LocalAdminFallback' option is on, try this
with LogonUser iff the username is an
// admin locally. In fact, it is so rare that this should be turned
off, that we don't expose it in the UI
// even.. woah!
So - try setting LocalAdminFallback (DWORD) to 0x00 in the registry -
I suspect then you'll get the behavior you expect - but be warned -
lockout may be imminent!
Nate