Microsoft KB Archive/260930

= Machine Account Lockout May Cause Problems on Primary Domain Controller =

Article ID: 260930

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q260930



SYMPTOMS
Machine account logon attempts may not work between Windows 2000-based domain controllers. This behavior can occur if the machine account password is changed by the domain controller and enough unsuccessful attempts are made to log on to that account with the wrong password.

The machine account is much like a regular user account, but it is used by domain controllers to facilitate communication between other domain controllers and computers on the network. This account is usually in the form of $ and is not editable by the administrator.

If enough unsuccessful logon attempts are made by the server with the machine account, the account becomes disabled. Even after the correct password is finally used to log on to that account, the attempt does not succeed.

After this account has been disabled, there is no way in the Windows 2000 user interface to enable the account. It may also be difficult to tell if the account is actually disabled.

In the worst-case scenario, domain controllers could be prevented from replicating.



CAUSE
In Microsoft Windows NT 4.0, machine accounts are used only for secure channel setups, which ignore the lockout advisory. In Windows 2000, computers use Kereberos logons for the machine accounts, which do use the lockout settings.



RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack



STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 1.

Additional query words: locked log in login

Keywords: kbbug KB260930

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.