Account Lockout Because Bad Password Count Field (BadPwdCount) is Not Reset to 0 (263821)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
This article was previously published under Q263821 SYMPTOMS
User accounts may get locked out in a mixed environment with Windows 2000-based domains and Microsoft Windows NT 4.0-based domains.
This issue can also occur when new user accounts are created and the user changes their password on initial logon. If the default account policy is configured for User Must Change Password at Next Logon, this can also occur. If the user connects to NT 4.0 or Windows 2000 servers immediately on login, the account can be locked out within seconds depending on the number of bad passwords allowed within Account Lockout threshold.
CAUSE
When a Windows 2000-based domain controller receives an NTLM authentication request, it tries to validate the password in its database. If it does not succeed, it increments the bad password count, and passes the request to the primary domain controller because the database may not be synchronized.
If the primary domain controller responds to the domain controller that forwarded the request with successful validation, the bad password count for the user on the domain controller should be reset to 0. However, the domain controller is not resetting the count to 0.
This problem may only be seen in the Windows 2000 environment because UAS replication does not occur as frequently as in the Windows NT 4.0 domain environment. User passwords between domain controllers may be out of synchronization for longer period of time. Also, the bad password count field is not replicated between the domain controllers.
The fix described in this article should be applied to all Windows 2000-based domain controllers to eliminate the issue described above.
RESOLUTIONTo resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
-----------------------------------------------------------------
7/17/2001 04:52p 5.0.2195.3870 501,520 Samsrv.dll (56-bit)
7/18/2001 05:55p 5.0.2195.3858 355,088 Advapi32.dll
7/18/2001 05:55p 5.0.2195.3649 135,440 Dnsapi.dll
7/18/2001 05:55p 5.0.2195.3649 94,992 Dnsrslvr.dll
7/18/2001 05:51p 5.0.2195.3870 519,440 Instlsa5.dll
7/18/2001 05:56p 5.0.2195.3817 142,608 Kdcsvc.dll
7/17/2001 05:08p 5.0.2195.3872 197,392 Kerberos.dll
6/26/2001 08:16p 5.0.2195.3781 69,456 Ksecdd.sys
7/17/2001 04:52p 5.0.2195.3870 501,520 Lsasrv.dll
7/17/2001 04:52p 5.0.2195.3870 33,552 Lsass.exe
7/18/2001 05:56p 5.0.2195.3776 306,448 Netapi32.dll
7/18/2001 05:56p 5.0.2195.3776 357,648 Netlogon.dll
7/18/2001 05:56p 5.0.2195.3868 909,072 Ntdsa.dll
7/18/2001 05:56p 5.0.2195.3848 382,224 Samsrv.dll
7/18/2001 05:56p 5.0.2195.3781 128,784 Scecli.dll
7/18/2001 05:55p 5.0.2195.3649 299,792 Scesrv.dll
7/18/2001 05:55p 5.0.2195.3649 48,400 W32time.dll
5/29/2001 09:26a 5.0.2195.3649 56,080 W32tm.exe
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
| Modification Type: | Minor | Last Reviewed: | 9/23/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbbug kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB263821 |
|---|
|