RHEL7: Configure local user failed attempt locking while also using SSSD/AD

Greetings!

Anyone have any experience in setting up failed attempt locking for local users on servers that mainly use sssd/ad connector?

For the most part, most interactive logins will be done via ad accounts but I want to have a few service accounts stay local but for compliance reasons I still need to apply failed login attempt locking (with duration).

I used realm to setup the AD connection and then followed section 4.1.2 of the hardening guide ( https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services ) but when I tired to login with my AD account, I was put into a loop of being asked my password. I assume I have something out of order or the like but my PAM foo isn't all that strong and to me, it feels like it should work.