Microsoft KB Archive/278299

= Locked-Out Account That Is Reset at a Different Domain Controller May Be Locked Out =

Article ID: 278299

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q278299



SYMPTOMS
When you are using account-lockout policies in a domain with more than one domain controller (DC), if an account was previously locked out and then unlocked by an administrator, the account may be locked out after only one bad password attempt.



CAUSE
This problem can occur because Windows 2000 maintains a bad-password count for each user. This count is the number of bad password attempts that have been made since the last successful logon. When user account details are replicated between DCs, the locked-out state is replicated. However, bad-password counts are not replicated between DCs.

If a user is locked out by exceeding the maximum bad-password count that has been configured by a policy on the authenticating DC, the user account is marked as locked out, and the locked-out state is replicated to other DCs.

If an administrator then unlocks the account, the bad-password count for the user is set to zero on the DC that is processing the unlock request, and the unlocked state is replicated to other DCs, but the bad password count (now zero) is not replicated to other DCs.

Because of this, if the DC that authenticates the user's next logon attempt is the DC that originally locked out the user and the user account was unlocked on a different DC, the authenticating DC sees an unlocked account that has a bad-password count at the lockout threshold that has been set by a policy.

Under the preceding conditions, one bad password attempt is sufficient to lock out the same account again.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:

  Date         Time   Version          Size       File name -  5/31/2001   11:13p   5.0.2195.3663   501,520   Lsasrv.dll(56-bit) 5/31/2001  03:30p   5.0.2195.3649   354,576   Advapi32.dll 5/31/2001  03:37p   5.0.2195.3649   519,440   Instlsa5.dll 5/31/2001  03:31p   5.0.2195.3649   142,608   Kdcsvc.dll 5/30/2001  02:55p   5.0.2195.3649   209,008   Kerberos.dll 5/29/2001  09:26a   5.0.2195.3649    69,456   Ksecdd.sys 5/29/2001  09:26a   5.0.2195.3649   501,520   Lsasrv.dll 5/29/2001  09:26a   5.0.2195.3649    33,552   Lsass.exe 5/31/2001  03:31p   5.0.2195.3652   908,560   Ntdsa.dll 5/31/2001  03:31p   5.0.2195.3649   382,736   Samsrv.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words: kbDirServices

Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbenv kbnetwork kbsecurity kbdirservices kbhotfixserver KB278299

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.