Microsoft KB Archive/263821

= Account Lockout Because Bad Password Count Field (BadPwdCount) is Not Reset to 0 =

Article ID: 263821

Article Last Modified on 2/19/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q263821



SYMPTOMS
User accounts may get locked out in a mixed environment with Windows 2000-based domains and Microsoft Windows NT 4.0-based domains.

This issue can also occur when new user accounts are created and the user changes their password on initial logon. If the default account policy is configured for User Must Change Password at Next Logon, this can also occur. If the user connects to NT 4.0 or Windows 2000 servers immediately on login, the account can be locked out within seconds depending on the number of bad passwords allowed within Account Lockout threshold.



CAUSE
When a Windows 2000-based domain controller receives an NTLM authentication request, it tries to validate the password in its database. If it does not succeed, it increments the bad password count, and passes the request to the primary domain controller because the database may not be synchronized.

If the primary domain controller responds to the domain controller that forwarded the request with successful validation, the bad password count for the user on the domain controller should be reset to 0. However, the domain controller is not resetting the count to 0.

This problem may only be seen in the Windows 2000 environment because UAS replication does not occur as frequently as in the Windows NT 4.0 domain environment. User passwords between domain controllers may be out of synchronization for longer period of time. Also, the bad password count field is not replicated between the domain controllers.

The fix described in this article should be applied to all Windows 2000-based domain controllers to eliminate the issue described above.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:

Date        Time     Version         Size      File name - 7/17/2001   04:52p   5.0.2195.3870   501,520   Samsrv.dll (56-bit) 7/18/2001   05:55p   5.0.2195.3858   355,088   Advapi32.dll 7/18/2001   05:55p   5.0.2195.3649   135,440   Dnsapi.dll 7/18/2001   05:55p   5.0.2195.3649    94,992   Dnsrslvr.dll 7/18/2001   05:51p   5.0.2195.3870   519,440   Instlsa5.dll 7/18/2001   05:56p   5.0.2195.3817   142,608   Kdcsvc.dll 7/17/2001   05:08p   5.0.2195.3872   197,392   Kerberos.dll 6/26/2001   08:16p   5.0.2195.3781    69,456   Ksecdd.sys 7/17/2001   04:52p   5.0.2195.3870   501,520   Lsasrv.dll 7/17/2001   04:52p   5.0.2195.3870    33,552   Lsass.exe 7/18/2001   05:56p   5.0.2195.3776   306,448   Netapi32.dll 7/18/2001   05:56p   5.0.2195.3776   357,648   Netlogon.dll 7/18/2001   05:56p   5.0.2195.3868   909,072   Ntdsa.dll 7/18/2001   05:56p   5.0.2195.3848   382,224   Samsrv.dll 7/18/2001   05:56p   5.0.2195.3781   128,784   Scecli.dll 7/18/2001   05:55p   5.0.2195.3649   299,792   Scesrv.dll 7/18/2001   05:55p   5.0.2195.3649    48,400   W32time.dll 5/29/2001   09:26a   5.0.2195.3649    56,080   W32tm.exe



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 Datacenter Program and Windows 2000 Datacenter Server Product

For additional information on how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words:

Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbsecurity kbhotfixserver KB263821

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.