Intruder Detection limits the number of unsuccessful login attempts. The AFP server does not support intruder detection, so if the AFP user does not log in successfully, the user is not locked out even if you have set intruder detection to ON in NMAS.