Locked-Out Account That Is Reset at a Different Domain Controller May Be Locked Out (278299)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
This article was previously published under Q278299 SYMPTOMS When you are using account-lockout policies in a domain
with more than one domain controller (DC), if an account was previously locked
out and then unlocked by an administrator, the account may be locked out after
only one bad password attempt. CAUSE This problem can occur because Windows 2000 maintains a
bad-password count for each user. This count is the number of bad password
attempts that have been made since the last successful logon. When user account
details are replicated between DCs, the locked-out state is replicated.
However, bad-password counts are not replicated between DCs.
If a
user is locked out by exceeding the maximum bad-password count that has been
configured by a policy on the authenticating DC, the user account is marked as
locked out, and the locked-out state is replicated to other DCs.
If
an administrator then unlocks the account, the bad-password count for the user
is set to zero on the DC that is processing the unlock request, and the
unlocked state is replicated to other DCs, but the bad password count (now
zero) is not replicated to other DCs.
Because of this, if the DC that
authenticates the user's next logon attempt is the DC that originally locked
out the user and the user account was unlocked on a different DC, the
authenticating DC sees an unlocked account that has a bad-password count at the
lockout threshold that has been set by a policy.
Under the preceding
conditions, one bad password attempt is sufficient to lock out the same account
again. RESOLUTIONTo resolve this problem, obtain the latest service
pack for Windows 2000. For additional information, click the following article
number to view the article in the Microsoft Knowledge Base: 260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the
following file attributes or later:
Date Time Version Size File name
-----------------------------------------------------------------
5/31/2001 11:13p 5.0.2195.3663 501,520 Lsasrv.dll(56-bit)
5/31/2001 03:30p 5.0.2195.3649 354,576 Advapi32.dll
5/31/2001 03:37p 5.0.2195.3649 519,440 Instlsa5.dll
5/31/2001 03:31p 5.0.2195.3649 142,608 Kdcsvc.dll
5/30/2001 02:55p 5.0.2195.3649 209,008 Kerberos.dll
5/29/2001 09:26a 5.0.2195.3649 69,456 Ksecdd.sys
5/29/2001 09:26a 5.0.2195.3649 501,520 Lsasrv.dll
5/29/2001 09:26a 5.0.2195.3649 33,552 Lsass.exe
5/31/2001 03:31p 5.0.2195.3652 908,560 Ntdsa.dll
5/31/2001 03:31p 5.0.2195.3649 382,736 Samsrv.dll
STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
This problem was first corrected in Windows 2000 Service
Pack 3.
| Modification Type: | Minor | Last Reviewed: | 9/26/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbbug kbDirServices kbenv kbfix kbnetwork kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB278299 |
|---|
|