Found it.
Code:
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
at the top of my /etc/pam.d/login file. This line caused all local users logging in at the console to be allowed access regardless what was in the system-auth file.
I ran into some issues after I commented that line out, but they aren't of any concern to this discussion.
Not too sure what those options mean, but it appears that it checks the securetty file, which lists the console, thus returns a "success" and fulfills the authentication requirements. I'm assuming (and will try to research it more tomorrow) that the "user_unknown=ignore" argument is why non-local users had to have a valid password because their Active Directory account was not known to the stack at this stage.