This configuration parameter specifies whether to allow users to log in when the user account is locked out and the computer is not connected to Active Directory. The default value is false (that is, users cannot log in). For example:

secedit.system.access.lockout.allowofflinelogin: false

You can also set this parameter using group policy.