Trying to connect to a share via the "Run" command of the Explorer can lead to an account lockout. (841075)


The information in this article applies to:

  • Microsoft Windows NT Workstation
  • Microsoft Windows NT Server, Enterprise Edition
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows XP Professional
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition

Idea Section

If an account lockout policy is applied to a domain, and an account is present both in the domain 
and in the local SAM of a client of this domain with a different password, it will be locked out if a user logs on to the local account of the client 
and tries to connect to a share of a server member of the domain via the "Run" command from the "Start" menu of the explorer. 

This can also happen is the client is a member of another domain that has the same account with a different password and the user is logged 
on to that account.

The number of connection requests before prompting the user depends on the OS of the client:
- Windows NT4 SP6a client send 4 authentication requests.
- Windows 2000 SP4 client send 9 authentication requests.
- Windows XP SP1 client send 13 authentication requests.
 
Each authentication request is done with the local credentials (the local username with its local password) which doesn't match the credentials 
of the domain. As a consequence, each connection request increments the bad password count of the domain account. If the lockout
threshold of the policy is smaller than the number of attempts listed below, the account will be locked out before the user is prompted to enter the 
credentials. As a result, the user will never be prompted for entering credentials. Instead, he will get a message saying the account is locked out.
 
To avoid the account to be locked out, either adapt the account lockout threshold of the policy accordingly to the number of connection requests 
of the clients shown above, or force the users to connect to the share via the "Map Network Drive" of the "Tools" menu of the explorer or 
via the "Net use" command at a command prompt. 
This can be achieved by applying a policy to the domain that disables the "Run" command from the "Start" menu of the explorer.
 

More information:

The reason for the high number of authentication requests is that the Explorer tries to get information from the server prior to establish 
the connection to the share. For example, the Windows XP Explorer connects to the server as soon as the user as entered the last backslash 
of the server name to get its shared resources and display them underneath the "Open" command.
Modification Type:MajorLast Reviewed:4/22/2004
Keywords:KB841075
©2004 Microsoft Corporation. All rights reserved.