Microsoft KB Archive/817701

= Service packs and hotfixes that are available to resolve account lockout issues =

Article ID: 817701

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows 95
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



IN THIS TASK

 * SUMMARY
 * Windows Server 2003
 * Windows XP
 * Windows 2000
 * Windows 2000-Based Domain Controllers
 * Windows 2000-Based Client Computers
 * Windows NT 4.0
 * Windows 98 and Windows 95
 * REFERENCES



SUMMARY
This article describes the latest hotfix updates or service packs that are available as of June 2003, to resolve account-lockout issues that you may experience when you use the Microsoft operating systems that are listed in the &quot;Applies to&quot; section of this article. This article is intended to help you to troubleshoot account-lockout issues and lists the latest hotfixes or service packs that are available for each operating system.

back to the top

Windows Server 2003
Install the latest service pack on all Windows Server 2003 domain controllers, servers, and client computers.

Hotfix 826133 is a client-side hotfix that you can apply to a Windows Server 2003-based computer on the network. For more information about this hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

826133 User of a disabled account is prompted to change the password before the &quot;Account has been disabled&quot; message appears

back to the top

Windows XP
Install the latest service pack on all Windows XP-based client computers.

back to the top

Windows 2000
Install the latest service pack on all Windows 2000 domain controllers, servers, and client computers. On domain controllers that are running Windows 2000 Service Pack 3 (SP3), you must install the update that is described in the following Microsoft Knowledge Base article to obtain the benefits described in the &quot;Windows 2000-Based Domain Controllers&quot; section of this article:

812499 You cannot change your password after an administrator resets it

This hotfix is included in Windows 2000 Service Pack 4 (SP4). For more information about the problems that are fixed in Windows 2000 SP4, click the following article number to view the article in the Microsoft Knowledge Base:

327194 List of bugs that are fixed in Windows 2000 Service Pack 4

When you apply the latest service pack to your domain controllers and other computers involved in the account-lockout process, you remove the chance of incorrectly incrementing and resetting a bad password count over the Kerberos or NT LAN Manager (NTLM) authentication feature. Many of the account-lockout issues that you may experience are resolved in Windows 2000 SP3 and Windows 2000 SP4 and include the issues that are described in the following Microsoft Knowledge Base articles:

264678 Increased account lockout frequency in a Windows 2000 domain

287639 Client cannot log on even if the account is unlocked on the primary domain controller

278299 Locked-out account that is reset at a different domain controller may be locked out

292573 ADSI SetPassword call does not always set the password on the target domain controller

263821 Account lockout because bad password count field (BadPwdCount) is not reset to 0

294811 You receive a password expiration message after you change your password

306133 Account unlocks and manual password expirations are not replicated urgently

303290 Drive mapping for the home folder may overwrite the local drive mapping after you apply Windows 2000 SP2

back to the top

Windows 2000-Based Domain Controllers
Install Windows 2000 SP4 or Windows 2000 SP3 together with the following:  The post-SP3 regression fixes that are described in the following Knowledge Base article:

331161 Hotfixes to install before you run adprep /Forestprep on a Windows 2000 domain controller to prepare the Forest and domains for the addition of Windows Server 2003-based domain controllers

 The post-SP3 account-lockout enhancements that are described in the following Knowledge Base article:

812499 You cannot change your password after an administrator resets it



Important To gain the benefit of the hotfix that is described in Knowledge Base article 812499, you must configure the password history setting in your domain group policy with a minimum value of 3. For additional information about how to configure account passwords and policies, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/d7e66b86-7b31-45a8-b11f-449fe7e7c62e1033.mspx



Microsoft recommends that you install the Windows 2000 post-SP3 account-lockout enhancements if the domain controllers that are running Windows 2000 SP3 are in the same domain as the domain controllers that are running Windows Server 2003 and if account lockout policies are enabled. Microsoft recommends that you install the latest service pack that is available for Windows 2000.

back to the top

Windows 2000-Based Client Computers
Install Windows 2000 SP4 on all Windows 2000-based client computers.

back to the top

Windows NT 4.0
Install Windows NT 4.0 Service Pack 6a (SP6a) on all Windows NT 4.0-based computers. Also, on any client computers, install the hotfix that is described in the &quot;Windows NT 4.0&quot; section of the following Microsoft Knowledge Base article:

275508 SMB session credentials are not updated after password change resulting in account lockout

back to the top

Windows 98 and Windows 95
Install the latest Directory Services (DS) client update on all Windows 98-based and Windows 95-based client computers.

If you do not want to install this directory services update on your Windows 98-based and Windows 95-based client computers, you can install the original directory services client, and then update the client computers with the updates that are described in the following Knowledge Base articles:

266772 Client cannot log on if unicode string is passed to NTLM security support provider interface

271496 One unsuccessful logon attempt may trigger the default Windows NT lockout policy

293793 Exception 0E in Vredir error messages when you open network files

back to the top

