Article ID: 278299
Article Last Modified on 10/27/2006
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q278299
SYMPTOMS
When you are using account-lockout policies in a domain with more than one domain controller (DC), if an account was previously locked out and then unlocked by an administrator, the account may be locked out after only one bad password attempt.
CAUSE
This problem can occur because Windows 2000 maintains a bad-password count for each user. This count is the number of bad password attempts that have been made since the last successful logon. When user account details are replicated between DCs, the locked-out state is replicated. However, bad-password counts are not replicated between DCs.
If a user is locked out by exceeding the maximum bad-password count that has been configured by a policy on the authenticating DC, the user account is marked as locked out, and the locked-out state is replicated to other DCs.
If an administrator then unlocks the account, the bad-password count for the user is set to zero on the DC that is processing the unlock request, and the unlocked state is replicated to other DCs, but the bad password count (now zero) is not replicated to other DCs.
Because of this, if the DC that authenticates the user's next logon attempt is the DC that originally locked out the user and the user account was unlocked on a different DC, the authenticating DC sees an unlocked account that has a bad-password count at the lockout threshold that has been set by a policy.
Under the preceding conditions, one bad password attempt is sufficient to lock out the same account again.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name ----------------------------------------------------------------- 5/31/2001 11:13p 5.0.2195.3663 501,520 Lsasrv.dll(56-bit) 5/31/2001 03:30p 5.0.2195.3649 354,576 Advapi32.dll 5/31/2001 03:37p 5.0.2195.3649 519,440 Instlsa5.dll 5/31/2001 03:31p 5.0.2195.3649 142,608 Kdcsvc.dll 5/30/2001 02:55p 5.0.2195.3649 209,008 Kerberos.dll 5/29/2001 09:26a 5.0.2195.3649 69,456 Ksecdd.sys 5/29/2001 09:26a 5.0.2195.3649 501,520 Lsasrv.dll 5/29/2001 09:26a 5.0.2195.3649 33,552 Lsass.exe 5/31/2001 03:31p 5.0.2195.3652 908,560 Ntdsa.dll 5/31/2001 03:31p 5.0.2195.3649 382,736 Samsrv.dll
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Additional query words: kbDirServices
Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbenv kbnetwork kbsecurity kbdirservices kbhotfixserver KB278299