Microsoft KB Archive/200900

= How Windows NT Handles Incorrect User/Machine Account Passwords =

Article ID: 200900

Article Last Modified on 2/20/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 3.51
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q200900





SUMMARY
If you type an incorrect password when you log on to a computer running Windows NT Workstation 4.0 or later that has a secure channel with a backup domain controller (BDC), the BDC checks the primary domain controller (PDC) before it denies the logon attempt to the workstation.

If the PDC has the updated password, the BDC grants the secure channel request with the workstation and then immediately synchronizes with the PDC.



MORE INFORMATION
Machine account passwords behave differently than logon passwords. During the authentication process when the workstation is setting up a secure channel with a BDC, it sends the machine account password for authentication. If the password the workstation sends does not match the password on the BDC for this machine account, the BDC does not verify the password with the PDC. Instead, it logs an error 5722 in the System Event log and denies the logon attempt to the workstation.

In Windows 2000 this behavior changes. Machine account passwords behave like user account passwords and the BDC verifies a password with the PDC before denying a logon attempt to the workstation.

Additional query words: kbDSupport

Keywords: kbinfo KB200900

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.