How Windows NT Handles Incorrect User/Machine Account Passwords (200900)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0
This article was previously published under Q200900 SUMMARY
If you type an incorrect password when you log on to a computer running Windows NT Workstation 4.0 or later that has a secure channel with a backup domain controller (BDC), the BDC checks the primary domain controller (PDC) before it denies the logon attempt to the workstation.
If the PDC has the updated password, the BDC grants the secure channel request with the workstation and then immediately synchronizes with the PDC.
MORE INFORMATION
Machine account passwords behave differently than logon passwords. During the authentication process when the workstation is setting up a secure channel with a BDC, it sends the machine account password for authentication. If the password the workstation sends does not match the password on the BDC for this machine account, the BDC does not verify the password with the PDC. Instead, it logs an error 5722 in the System Event log and denies the logon attempt to the workstation.
In Windows 2000 this behavior changes. Machine account passwords behave like user account passwords and the BDC verifies a password with the PDC before denying a logon attempt to the workstation.
| Modification Type: | Major | Last Reviewed: | 5/14/2003 |
|---|
| Keywords: | kbinfo KB200900 |
|---|
|